oe) on oe a ome) ene, SENSS Implementing Cisco Edge Network Security Solutions Volume 2 Student Guide Version 1.0 Patter 8723001ae ey es UDA te peeennanen rate ey cisco. Ss = SShecr eee ere een ese Gnio me a eid de cis a nS rt pop st pn nea poe ‘amy cmon eau rocco aye come cee Crs ae tae tat te dea ere 27th te = = I i iee ee so = os a oe on Table of Contents Threat Controls Deployment on Cisco ASA Introducing Cisco Firewall Threat Controls ‘Oveniw of Frewad Teel Conkle ico Modis Network Archer ane Frewat That Cont, Froval Fiteing Layers Frenal iting Aoproches Freval Fiteng Tectacoges Contig Frewal Firing Techies Frewal Tret Contos and Cisco Predets and Features ‘Summary Deploying Basic Cisco ASA Accoss Policies ‘erviow of isco ASA Aces Conte! Features Coneeton Table xaninng te Comecon Table Local Hoe Table Exainng he Local Host Table Connection Tete Logging Iriortace ACLs ‘Congr nstace ACLs Veit nietare ACLS otal Acts Configure Gita ACLs Verity Gobo ACLs Objet Grurs Configure Obert Geuns Very Object Groups Troutesteot CLE summary Deploying Advanced Cisco ASA Access Polices ‘Advanced Cisco ASA Acess Poles renew (Cisco MPF Overview (8 Layer 3-4Polces Over DeteutOS! Layer 3-4 Sail raking Tune OSI Layer 3-4 Saf Tracking Very OS! Laer 2-4 tate Tacng ‘Supper or Dynan Protea Configure Supper fer Dynamic Protocole Very Suppo for Dyna Protocols ‘oplication Layer (OS Layer 5-7) Plies Overview TP Ieper Ove Configure HTP ispecton Veity HTTP inspection at “4 “7 410 415 an a sat 423 44 “2 “0 a 432 +28 48 $50 45 46 49 467 469 45 mu 480 oer 498 498 4103 4108 410 ana 4106FTP lnspctr Overview ener Evaluate Applicaton kespecton of Oe Protocols 190 Sumeary e432 Deploying ReputaionSased Cisco ASA Access Policles A133 ‘varie of isco tet Trae Filer 134 Coniguehe Ciseo Bene rfc Fiter e138 Vert the Cc Bone! Trae Fer 18s ‘summary aug Deploying ldentty Based Cleco ASA Accots Polic ast ‘veeiow of heen Frowa 2159 ony Frewal low 6185 (00 COA Oveniow “190 negate Cisco COA wih AD and isco ASA. 4962 Vert isco COA intgraon wit AD 4168 gat Cisco ASA wh AD aed Cisco COA 467 \Verty Cisco ASA Inet wh AD an Cisco COA 473 Conigue deity Bass Access Rules a Vert th ent Basd Firewall ‘Troubleshoot Kenly asodFrenall ‘summary Module Summary Modul SelfChock Threat Controls Deployment on Cisco IOS Softwar _ Deploying Basle Cis 10S Zone-Based Policy Firewall Access Pollcles ‘verve of i iscol0S Zone-Based Poly Frewall Congas Zenes and Zone Pars erty Zones and Zone Paes 510 ‘Congue a Basie OSLayer3 a rterane Aces Pocy ent erty a Batic OSI Layer and 4 Itrzone Acsss Poly 523 ‘Conigue a Basie OSILayer3 a rrazone Access Poly 526 Configure Iepeton Coil Pane nd Managomort Plane Taft 529 Tune Slat Engine ané Connection Sets 535 Congr Support forNAT 542 Troublesioo the Zane Based Poy Fra 544 Sunmary S47 Deploying Advanced Cisco 108 Zone-Based Policy Firewall Access Policies. - 5.49 ‘Overview of Advanced Acoass Palos 55 Cvenvew of Appcatem Layer Access Poles 582 HTP Inspector Ovenion 554 Configure HTTP Inspecton 558 Verity HTTP Inspecion 563 Inspacon of Instant Messoag 564 Inspection of Peurto-eer Protocols 55 i apenas Chas tava aay Saaina SSCS o_o om ee‘Aon Aopcalon Inspection 605 ‘URL FilengNethadsn Cc0 10S Zone-Bated Pole Frew ser Cong Loe i Baed URL Flag so sin en Module Summary 57 ModuleSetchece Glossary st ico aemee BietaSat Goatees Tiny cea ap tenet ey Sao-— om Module 4 Threat Controls Deployment on Cisco ASA Introduction “The Cisco ASA adapive secur appliance helps cafe security polices within newors In tis mode, yor wil examine the basi and advanced et cons th ar sven Cisco ASA producing, ‘The threat contol inclu acess contol estes, application inspection features, Botnet fic firing, sd eniy-based acces ‘Upon completing his maul, you wl be ble + Provide an overview of Cisco Grewal cat conto + Describe and configu asic Cisco ASA acces plces 1+ Deseribe and configu advanced Cisco ASA sess polices Describe and congue repustion-bsed Cisco ASA access polices 1+ Describe and configu dently. Ansed iso ASA aces pois‘Sati Spo (Fon ic ipao = Lesson 1 Introducing Cisco Firewall Threat Controls Overview Firewall yes ath sista thet defn method bse on network zoning and 20 iece pein ten Faevall sen ca provide st of ftv meted oer ycxposed serves and basis process by using dre tae ern approche ad tecnaogesThs son ses real 50, ad common Siting proche ndash ar ond inst fal yt Upon comping hse, yo will babe + Deserve ht contol Pac eval heat contos in the Cisco modular ewer ereitecture design architectures + Describe how freall sytem enn ier aia dileret OSI ayers + Desert esritive and peonisive hewn proc ‘+ Desert firewall firing technologies Descide hw to combine Frewall tering echnolgies Deseibe iso prods and features tha ae available to implement eval teat contol‘Overview of Firewall Threat Controls “This ope dseibes Grewal heat con _—_— Overview of Firewall Threat Controls + Tres cots are usulyimplemenlad at hat at: loa eds: ree come otha ea rd ac se (alee) tr ba eropiee ~ nee conte ents oat fhe ei plete ad dla fr Be euanee + Publyacng prs of he rotors ar exposed to are aay ot cetera reals Lee ‘Conrols git various reat stonld be implemented atleast the ost exposed nd crea! par of te cep evo: +The Interset ee isthe network infrastructure that provides coonectvy othe lotret nd that acs the gxeway forthe enterprise ta th es of th cyberspace. The ltersteée is public-fcing network ftir andi pricy exposed to ge ray of external heats, Some of the cexpetedtteas ares flows: = BsS pbes = Spyare, malar ava = Nev into, kore, nd nauborind newark css = Ema sam and vines = Webteed ping vines nd spa = Appt yer tks OOML tak, cs serpin anon) ~ Went ef fan and ta ealage ‘+The te center bases at of te irl pps nd da rhe enters. Theat! datacenters primal ina fing and os cents ron he neal enero network. The Ines ata ceteris sujet io exter is, bt ent ao be ued aga ea! ous inside of he network pernetr. The following ar ome ofthe trea vectors affecting the Inet ta center = Unnroriaed acess = Interupion of service = Dales {vei Can Ea tewa ar Sos SSCS —— ee eee0 = Datamoieaton ‘Unauthorized acess an ince unauthorized deve sees and unauthorized data access. leterption of sevice, dla, and data modification can be thers of tard atacks A single cat ean. lege one or noe of ths areas. Specifies can nue the following: privilee essation malware spyware oes; DoS; avers tacks Gacluting dre, URL), eossite sping tacts, SQL atc; malformed packets vise; worms; and, mani-te-midde. Overview of Firewall Threat Controls (Cont.) Implementing threat controls involves partioning of network into securty zones: + Sey ones use physical or ogi seperaton methods ensure @ ‘Single pont tanst between znes- ne neice pons + eval est contol sou be depoyed in zane ltetace pons Acommon appro implementing threat cones involves Separating the networkin niviulzoes, and minimizing th neactions bawes hese 2enes, This approach is commonly appli to eleprie ‘networks, where secriy designers prin the newark int sett zones, and cna ewer access ‘eee hese zonesusing aces controls tht are implemented by frewal Systems, ‘These zones are ree by sing ete physical separation, where ech zane wes separate physical infastoctue,orby sing lgial spain, whee resources are separated using logical epration| techniques, such 8 YLANS, VRE Lit, MPLS and similar methods. I ost cass, thee shold be ely one single point of trans betwee hese zones fe called a zoe interface points), whee acess cone can ‘beenfied ina sable and manageable manner. ‘Tanager Tani— Overview of Firewall Threat Controls (Cont.) ‘The frowall enores access conol between sacuty © ataldbe rete eande mate try aoe, + Trent ganeratn, content ace foals alo abl to ident users, aptcalos, and evens, an ses entra ‘lignce, ‘puttin fering. [A feall isa yste hat enforces an aces control policy between to ormareseciity res, All rewal share common proper: +The real ttf must be estan to stink; otherwise, it woud allowan atacke to disable the irevalrchange it aces rules, +All between seer dss mast ow trough the firewall Tis resrition prevents & ‘choo connection that could be sed o bypass th eval violating the network aces poy +A firewall can bea single device or age se of mule devies. Each device provides a pei tracing role to acbieve he desi level of protection. For example, Grewal esgner may hoo inhde ttf filtering devies, proses, neswok intrusion prevention ystems and similar ‘component to eid a Grvall sytem. Awe generation cotex-aware Frevall ao performs these factions + Ieitenifes wer, devices, ond aplictons, eit applics pplication specific policies. Identification of users is usualy done with integration wih usr datbess, such 5 LDAP or Micros Active Dircary + Ttasesaddtonl security inteligence such as apliaion visit and firing or eptaton based Fiera, Fa apenas Ep oa So eae SoI I q t t t co Modular Network Architecture and Firewall Threat Controls This topic pices firewall teat contr ino th Cisco modular network arcietre design architects. isco Modular Network Architecture and Firewall Threat Controls ‘The figure iste where inthe Cisco made network acitstearciactare firewall tat cols shoul be deployed. Usually the reall teat corr are implemered onthe Internet ge, which consists a east of Service Provier dg, clerpise DM, remote aozss, and Interne edge istbuton, Te firewall system should consol af when aerial these part ofthe Inert edge Firewall treat controls soul also be deployed the ntranet dat centro conto aces texted «olrpiseaplctions and dt, Virualztin in datacenter id aot oly change the wey how dt cetrs ‘4 built ao the way how security in dt ceteris but Server vrtaiation created new challenges for securiy deployments. Visibility int vial machine setivity and slation of seer fe Became mor ‘ict when vnual machine-soured talc could reach ote vital machines within the same sever iho being sot ost the pyscl server. Therefore, security architects should lo ike into ‘onsdeations implementation of vale firewall ental, which fe vsbity int tai within single server with many virwal machines. Fiowal threat cools shoul also be deplyedin ranch ofices ifthe ofces requir local ontetviy to the Inert, o onng ofthe branch network is equied olin wfc between ferent bch supine Santee Spang eeFirewall Filtering Layers ‘Ths topic ees ow irevalsem can ite fi a diiset OS ay, ewall Filtering Layers Firewall components can operate on different OSI layers: Fr + Netortaer (Layers 2-4) ones cont: Mrimizes comestity betroen Rass and fe aplins = + Appatn yer (Layers 5-7) acess conc: Contes payload and ‘cote inseperiled connections Ans poly dls ih tv cmeiviy alone coring ety poly of 1 ‘morta Fea yes nfo rw xe ntl owe a cn 1 Nawok ayer acs cent Ths poche Lay? eh 4a etn wih tppoaibebonscn nctommaia ag vith posal md plain fa ange 1 ‘hes yer scone el sen pena alae sen eT pe (HTTP) connections to all servers on the Internet. + Aplatn nye sce cnr Tis pot vss oS Lae 5 og so sein Winer win noon Use ctl pn, eal oon ney Recast ef en baked pence yee cn ew wr ove wb por pe en fon psn rs ere bk vs neal ming y Cann Itcals enc ny wal rod. mages web vies oan _ om - Fo peg Doe Bip aean BaElineFirewall Filtering Approaches Tis topes esictve a pemisive eval ile pach Firewall Filtering Approaches Firewall components can operate in diferent access control modes: + Restitv access conto: Eventing not exp alowed is prohbed. + Pesmisive access cont: Everthing rot exp poi is slowed. A Grewal system can implemen aces control sing one or both ofthe flowing two approaches: + Therestritive (or proetive) approach: I his approach, the reval by dtl denis al ‘amnmanication znd allows aly the aspect of communion tha are explicly pemited. Examples ofthis approach are tae act rig devices tht allow ony specfc hss ad applications o ss or mil proxy that would allow ony text-based Me aschmens, ‘+The permissive (or reactive) approach: In this aproach the few by deft pes communication and locks ony thaspeets of communication tht it considers malicos based on its sack signature database. Examples of his aproach re network IPSS and network anv ee ee ee ee i I U 0 U Taos Smee SerieFirewall Filtering Technologies “This dies real reg ttle. Firewall Filtering Technologies The fllowing ae the mainstream fiterng technologies: + Stateless pactt Maring + Slate paket iting + ‘Stato packel ang wi AIC (or AVC) 1+ Reputation based Meng + Nate PS + Appa layer gatoway (pies) When you depiy Grewal eytens for atwork proecton, you mast understand ther ferent emponet. Depending on sour network needs, mandatory compliance, and access methods, you may requ that ‘este real system options be st Modem fowalsysems use several mainstream tafe Hering technologies Firewall Filtering Technologies (Cont.) Saleless packet fterng + Ralis ona state ulebase of pacel deseipinns open or deny + Works best wih slate TCP appains or Layer. itering + Transparency and ih pedomarce “Type used fra ete aporch Se “apg Sra Fagan ay Sater —— os -— —_ — os oocet oes eee ee eee ‘Stateless packet fering is one ofthe oldest nd mos widely wed network access conto threo, ‘States packet itering is usualy employed by an OSI Layer 3 devi, ach sa network outer using ‘ACLs Stele packet fillers use statically defied set of rues tht inpedently (hats staelesshy— witout ear to previous or fe pack) examine teens or pyladof ach packs prior key is forwarding eos the device. Stateless packet ilerag usally examines protocol hades fe ‘network and transport OS! yes. However, ican be extended th pation layer by ceamining pckst pylons and parsing packets to decode their aplication aye rool for simpler access ule ‘configuration Cisco 105 FPM allows he decoding of OSI Layer 3 through Layer 7 proocals and machin based on the packet payload Firewall Filtering Technologies (Cont.) Stateful packet ering Relate access concn Layers and + Simpy of confgursion + High petormance Tiel used or restive approach eee Stateful paket tering isan application sware method of packet fier that works on the coeneton {orffow) evel with ecasional looks inthe application layer. ‘Slt packe fiers maintain sate bl to erp ack ofall active sesins tht ar cross the rcwal, suck asa Cisco Adaptive Secuity Appliance ora Cisco Integrated Services Routes hat is enfgured with 9 zon-bsed py Grewal. Asn ble, Which an intra a strc fel packet ier, ‘rack oll OSI Layer 4 sessions and inspects al packets tat ae passing aug the device. Based oni mor of previous pskets in a session a el ct ier an ancpl wit Kindo wai should rive fom comsmumicating hon the near fare the packets have the properties hal are preted by Ihestat able they are forwarded The st ble changes dynamily base of trafic ow. ful packet hes are aso application avare while atonal deeper inspection of tans tai sing »erormed, which required to manage dynamic pplication. Dysamic applations typically open an ‘itl conection ons wellAnown port and then negate ado! OSI Layer 4 connections truth he ‘itl esion. ttl packet Filters suppor these dynamic appeation by analyzing the cones ofthe siti esion and parsing the application protocol ju enough o lea abut the dion nepoined chanel. staf packe fier iypically assumes that thin cometon was permit any tional tanspor layer connections that ppliaion shold lobe peed eaStaeflp Firewall Filtering Technologies (Cont.) Stateful packet tering with AIC or AVC: + Reabl sons contel on Layers 3-7 Simo of configuration + Transparent, medlum peformance operation + Typically ued for a atte and permis approach 5 | chet tering with AIC or AVC: Many user of satel packet firing tave inceasingly ‘demande higher appt ayer waeness other stateful pack flle-based Srevalls. Most vendors bave improved the aplication layer analysis on ther pre tall packet ilerng devices byenbncing the talc nals engine with seve alld AIC or AVC. Suc vies cn verify whether the aplication ‘conforms stnards nd ial to ier afi based on application protocol beades and their contet. vamp of devices bal employ stl pckettenag with AIC and AVC incde te Cleo ASA 3300-X Series New- Geneon Firewalls, which can eoguze and fe over 100 applications and mare tan 75000 miroaplicatoas. Fit remneiia Ga pana Sam Saom SSC Firewall Filtering Technologies (Cont.) Reputation-based fitering: + Tafel ered or lowed based on aepuaton ofa source 1 derese, + Simly of onfguraon + Roques a roputatin database + Patcpatng devices can send data bak tthe epson database pda te ealabase Tata are i TENT — — om coo oom oo os ossommes ee (Gens Reputation-based fitering This form of ierngaalyars aie deals th ress of analyses withthe reputation oa afficsoue or destination Padres. Reputation bao ilering requis n extemal repustin dake, which ering device communicates and vhich provides eputaion scar for exch fie sou or destinato IP adres. The ptciating devices sen dab the ‘eptation database, here fexdback is stored to hep the updates in he tabase cure Examples of vce that se reputtior- Sse tern include the Cisco ASA 5500-X Series Nevt-GeneationFrewalls wit ote trai tering, Cisco IPS Setsors wih label Craton, te Ciseo Email Security Appliance, nd the isco Web Security Appliance ll Cisco device th se repulaion-bsed ilering use ‘heat intlligance fend fom Cizo SacuntyItligenee Operations, wih optional URL Gein Firewall Filtering Technologies (Cont) Network PS: Astong sna caaase + Trarsptet mum perfomance operation + Typaty se tr apes opcach A network Pi newark conto th analyzes afic and temps to boc know malicious afc based on abuil-n an periodically updated aac signature sabse, The aac situ database ‘nians descriptions of ai paters—usully Bouse —thatindeste a nownatack inside he two steam, Bian cuaseemae rrrFirewall Filtering Technologies (Cont.) Application layer gateways (proxies): + Reliable access conta an Layers 3-7 + Auta protocol nomalzaton + Aliya parorn deep coer ana with blog | + can embed prisube orescive ring ss a Applicaton tyer gateway, lo known a proxy, at aan ntrmeliar and rely aplicion layer rue and responses between cnt and Severs. The cient comets tothe proxy and submits an plication layer request ht inate the tue destination and he requested data The roy opens & Session to the dsination server, impesonats he cet and obtains he requested dts, The proxy pases ‘hed, which might be iered aad changed back othe int. Inter of cess conta pony oa imi acne bed on te source and destination of te request, tbe ‘request il sd he tat etre, This cos contol eat ide allowing only spi ie yes tbe downland, iting Srptiglangungs inside HTML coset, seaming content for malware and so ‘on. Ie he example the Figur, the HTTP ALG fers ot be JvaSrit in he response fm the we server fo the clint Cisco Email Seurty Applianes andthe Cisco WSA ate example of ony devies, gg Cie Rip a Sos=— oo oo ef) a) I t U I t I I i I i Combining Firewall Filtering Technologies Ts toi deserbes bw combine eval ering hms. Combining Firewall Filtering Technologies + Use sect zones and come implement net pee talc ewe | + Haden ene ono Conn sete and pemssre con Sloth pac ar ih A ‘ethane oe The, or ‘Sater ‘Scion pon ose ONE) Coutts oy stn Soweto Viste cn in ett comets ‘When you implement network cons, fliow thse guidelines Separate the network nto scuity zones and implmsn east privilege tafe filtering on the ‘boundaries beeen the zones, arden the network contol wth usted and patched software, and use AAA and secure management protocols aces th newark coos. Aiea stem sould us mpl echnologis an deve in oder to combine pensive ane tice apprencbes ~Statefl poke iter with AIC are te most eile ecology and good starting point i bse your tor ayer acess contl on. Therefor, bid your basi ew architect wth tcf cet iersas the cet aces conto elements nd thn add atonal features or devices 0 ‘hearchitetue, ~ Youcan ad network PS component oprovise permissive (sgntur-bsed) aces contol loand fom particular security one. Moreover, you etn preferably use a integrated IPS sofware or ‘réware mole (such ss the TFS mode inside a isco Adaptive Security Appince applic) {oadalPS serves o ale selectively, based on the tai ow speciation, aber tan apply it {oallffitand froma specif zone: You can ako use the AVC component ofthe Cisco ASA. '5#00-X Series Next-Generation Firevalls to provide aplication visbilty sd contol er more ‘han 1000 aplication and 75,000 mieroapplcatons. You can ad roe (by sing a product such the Cisco Web Security Appin) o provide deep packet inspection with ble ~ Complex security devices, such as standsone proxi, shoul best wp ina DMZ in rer init the damage ithe proxy component is compromised = You an also se cloud-base proves (such as Csco Cloud Web Security) in oder to lowe te ‘ot cost of ownership and provide a single soca policy forall wes, regardless tet cconetviy type or lean, ee Toten Sama he Toei ase= Yowcan us vitualize contol (uch athe Cisco Virwal Secury Gateway andthe iso ASA 1000V Cou Firewall o secure acest viralzd data caters in enterprise and cow provider vironments. Tie pg a ap toma Sy Sas Sai Co Srirewall Threat Controls and Cisco Products and Features This topic describes Co produ and fst tht avilable o implement firewall ual contol. Firewall Threat Controls and Cisco Products and Features ‘ol0S ZoneaescPaley New conan mal sal Sstmew Fron aca mst Wowal hse Foi Puls betiwensoras ‘The fllowingare some common Cisco devies and fetes that can be sd inplement irewal ueat canta’ + Cleo 105 (and 10S XE) Sofare Routers with Context-ased Access Contrl Firewall: CBAC ‘spoctes what a ows to beet in and what wfc neds oe et ut by using sees isin ths se way tat iso 10S uses aces His) Homever, CBAC secs isin ip inspect statements (tat llow the inspton ofthe protocol allow retain fe ogo oe ye ebind te Firewall. + Cico 10S (and 10S XE) Software Rowers with Zone-Based Policy Firewall Cisco 108 Sofware Release 12467 inroded ZEW, now cafigursion mode forthe Cisco 108 Firewall ete so, ‘This new cofiguraion model fers intve polices fr mulpe-iterface router increased _ranulariy offre poy aplication, anda default dena poy that probibis ali beteen ‘irewallsecuriy zones ul an explicit policy is pido allow desiabl rai. + Chico Adaptive Secrity Appliance $800-X Sere, and Clso ASA Services Modu: isso ASA SS0D-X Series Next Generation Firewalls are powered by Cisco ASA Software, wit cnerpisclas Sttfl packet nspcsion and next-generation rel capabilites, Cisco ASA $500-X Sees Next Generation Firewalls re avaiable as ~_Seakble, staan appliances fr bane is, mide businesses securing the let gs and enterprise daa centes ~ High gesiomance blades hat integrate withthe Cisco Catalyst 650 SviesSwitebes = Viral insane to provide enteprise-assscuiy or private an publi clnds ————— Daca Samah BanasNote Tis cause ese Pale Fret en Co OS Satara on caning Za Boe fig Clio ASA SOD Sues snd apace. “Ta aang i ae ay Sine Sa CaaS reSummary This tpi simmarzs the Key ois tha were cscs in this son. ‘Summary + Frova res cate tt be ay ste mot ‘Spo parce neta + Fro son an ence neta et ot! oto err espn ee + Fron canines act col ung esto poise spcth +e real see sve aston a eg teanooges You should combine siren ae eng technloges when ‘deploying few sans Fan Geasame nerame Bo “Tas ong Cs Ep ham Say Saoi i i l q I 1 = eee Lesson 2 Deploying Basic Cisco ASA Access Policies ‘The Caco Adstive Seeuty Appince50-X Series Next-Generation Firewalls provides the ‘instar wih set faces conto mend that can ih onl aces betwen seus 2098 ia ‘networks, Th Cito ASA nsplicationawar, ail packet Hilering reval wich racks caanetons in conection be To cool which session can ene the connection ble, adminis ‘seth most fndamestl of Cisco ASA aces conto interface and lobal acess cnt lis. Ths lesondeseribestie Cisco ASA connection bl, nd esrb howto cafe and vey ner snd _lbal ACLs The esson alo describes how to configure abet group, which can significa rede ACL compen, The ssn cones wih instutions on toabeshotng ACLs onthe Cisco ASA, ‘Upon completing ths ssn, you wil beable: + Describe Cisco ASA tsi sees contol eres + Dsscrite becunneton able + Bxamine an¢ administer the comoction able 1+ Describe thelacal host ble + Examine and administer the cal ost ble + Desrite comseton able losing 1+ Deterite Cisco ASA inerice ACLS + Configure inerace ACLS + Vesfyinterice ACLS Deseribe Cisco ASA global ACLs Configure gta ACLs + Veity global ACLs 1+ Describe Cisco ASA object groupe+ Configure object romps onthe Cen ASA + Verio groups on the Cisco ASA 1 Trubleshot ACLs onthe Cisco ASA. {ap ig ap Nowe ney ne Sai GuanaOverview of Cisco ASA Access Control Features This toi deserts Cisco Adapive Sear Aplnc basi sce can eu. Overview of Cisco ASA Basic Access Control Features Cisco ASA isan applcaton-aware stateful packel-tering device: + Connecton are racked in the connection abl, Interface ACLS crt wtich sessions can ener connocion bl Global ACLs make ACLs management easier * Object groups alow grouping of adresses and serves or sein Acs Cisco ASA acess contol ets: ‘+ The Cisco ASA sect ppinc i fendamenally an aplication aware stflpacke Sing device. The ASA tracks al connections cos th ASA in the connectia table. * Cisco ASA security spline ierfice ACLs ar th mos commonly ied aces control mechanism on the appliance and conto which sions can ne th tnnetton be ‘+The pot ACLs of Cisco ASA make management of be acess policy configuration case. +The objet groups allow you abit grou hosts, sours, o series th share he same policy. This grouping optimizes te sees rules. i I i i l ay Sane‘Connection Table “Thistpi scbes he connection bl Connection Table ‘The Cisco ASA tracks all user connections in a connection table, + Alowed connecion ert he connection ltl as connection cet + Subsequent pocels thet rive ate applnce mus alch ha ‘auenty expected connecton properties kom he abe olherise, thoy are ropes. 1 Theta is constantly updo tated on warded eptina ae. State aleson the Cisco Adoptive Sour Appliance at as device short-term meme. In essence the stat tables esrb the envionment ofthe comet device andthe trafic it has een inthe pas to predit comet tue ef Jn concn ble the appliance tracks all conection that were permite across the device. Al packets of xising sons that ave ate seer applianeitrfice must match te packet properties that are reseed inthe commotion tebe fer tht particular connection Ihe packet belongs oa exiting comneton bt doesnt mich th expt proper, th Cisco ASA drops the packet. le Pocket rv tse splencs race al 6 net mach ny crmcton mth coecon [sare congared apart ne Cece ASA ess Ue ‘The omnes ble constanl updated based onthe properts of permite packs When paket is permite, estat ble ofthe particular conection is adjusted kasedon the protocol tha is involved Far pinay em Sip Nivel Bay eS == 1 I i ii i i i i i f i 1 i i i i 4 —_— oo Connection Table (Cont.) Stoel Tracked Protocols | aes pons, ie te apteion eyeOx) ‘The ico ASA teks varius cmeton ropes, depending nthe spo ptool en which he contin based By defi be Cio ASA ser appl sly gps TP nd UDP News a4 stomatealy tows TCP and UDP re paces: however he stele TCM aod Tse ESPs bled by def + TCP connections: The seit appliance tacks a comprehensive st of canoe prmesers—the corning 1 dees the sure an esto paste TCP site machine (a i hnows wheter coaeson is essing, ssid or cling) and te TCP ogee numb in oth iets, Adal by dei foreach ne conection the erty appliance anos he sequne nur btn dc mae secur nee (bed on soi kel) Halo remeber thedifcce bee the ial ad anomie sequen oss al sbqon pce seca. The cay apne alo ck te eine of he aneton in et bandon, zd conetons A TCP conection ets the coonction able le eur paliey fe apne emits iit sychronaton SYN pct I ibe oenston dpi cles he comcson ih 8st orf te ts mutual cls the eaneson ig FN pre's the enact dete fom th conection abl. ATCP Dw hat sido mor a cng etme deed fm Bo connection bl The srt aplnee alo saps aloe flows, Mss spt er Alte os tale in lls sat for toon, + _ UDP om: Thess apne cst I als, the soe nd destin ort of UDP ‘ow, nd thine cs as packet fiw wa sex yh seit) ppc, For set ‘operons te sea apinee alo chs pplication gust eis (sth he DNS est deni) oir defend ais packet potn stacks A UDP ow neste eamecion be the appliance secur pofey emis iA UDP ow ht iil fr move tan confuse ie ne is ltd fromthe cnsecton be or TeCMP: The security aptance tacks IP adress, ICMP type apd code, the ICMP packet identi, nde ide ine of th reuest A ping request ene the connection abe if the appliane security poy permits it. When he ping age replies with an echo zepy, the ICMP entry dlted rom the ‘onneton abl. A ping ney thts il for mare tana configurable idle ime idle fram te ‘onneton able. However, by dea te sear appliance eas ICMP ping trafic states. To permit octoreply packets, you must allow the pockos by using an ACL or you must enable ICMP tnspeton ESP tunnel ows through the Cisco ASA: The appliance tacks IP adresses andthe eeuty rameter index (SP, the tnne 1D, and thei time ofthe ESP tune session, An Pace ESP session Ene he conection table the appliance eer picy permits An Tse: ESP session tha side formorethena configurable ile tie is dead fram th connection abl, By de the seerty appliance treats ESP afc satcesly. To enable the appliance o treat ESP stateful, you must enble [Pace inspesion of pass-through ral,joe es es pen eee et) Examining the Connection Table ‘This topic describes how o examine sad administer the conection table Examining the Connection Table av cement en or ‘alee comes am cere and ens scametity ‘Youcan we the show conn command fo examine he cunet content of be comet tbl. The sow ‘oan comma displays te nab of acive conection an infrmation aboutesch individ anactia. nthe ie, thre arch connections te connection bl ths of them based op TCP, two based on UDP, an ICMP ping ety, a Pee ESPranel and « GRE. For each entry, you can obser the involved Cio Adaptive Sey Applinne interface, IP adesse, ots (for TCP and UDP seston), or sssion IDs (or GRE an ICMP sions verte acted in the Source port i), he caret iden, and the cumulative byes hat are transfered between he wo endpoints. For TCP coanetions, you can also observe conotion fs tht inde te slate ofthe TCP state machine for that partulr conection. ‘GRE tates allowed ithe acess rae permis The Cisco ASA doesnt ttl inspect GRE aff ‘Youcan ws the ler conn command to delete a specif comecton trom the coeetiontble. Whe you eke a TCP connection th application wing that connection willbe duped nd may not omatcaly ‘eomer Fer other types of cnnections, suchas UDP, epleaton wil ypialy rea ter comneton objets automaticaly You can also use the elear conn command witout ny arpa to dele al onectons en he eannestion able. meee Taipan TatasExamining the Connection Table (Cont.) Reena) sel analyze the lag ofthe ees in te TCP connection able bese the fags can ndcte ‘arog ess if you are troblesbooig enoneivity. For example, a commeton tainted wih the "saa" fags typically indeatesthat thee ia ong problem ofan unesposive os onan interface with ‘the lower security lve. However, iro ofthe TCP conaectns have the “VIO” fags anda nonzero byle ‘oun, this pial indies tht he isco ASA is oprating normaly “This igure shows the examples of conection: with assosisted lags. The figure alo explains Nags that are associated wth he TC? tate engi. Other onneton aps (also fo oe rota) sues ‘pletion awarees nd idiste hal th sevty appliance is applying dpe inspection on these omnetons ‘Connections that cited fom an interac nth higher sear Iovel to an interface wih a lower ‘curity evel are otbound conestions Connetons tha senate from an interface wih a lower Sceurty lel oan inerfce witha iger sec level re inbound conections. The“B” fag indicates tha the conection inbound ‘Tae rong Cs Ep ey Sa Sain CaS Fe= Local Host Table “This opie describes lca bot bl Local Host Table Cisco ASA also tracks all hosts (IP addresses) that are ‘communicating over the security appliance ina local host table, “+ Kops stole on hat ttt inkl host bjects Host objects laren lost connections The Cisco Adaptive Seeuty Appin alo keps a ecoed sate able, whic is refered asthe oa ost table, This table aks al os (hati, P aereses) that ave connections tat are eblised sera the ‘splice. Each ost stacked ina local ost objet whee the scary appliance grou est sates ~ ales comectios, and AAA information. Ech cl host objet references ll cometons tha involve ‘hat particular hos te connection bl. Therefore, by examining he aa os table you can alo sce ‘herelevan portions ofthe cornet table tase inked othe pica ost (IP aires) In be figure, th inside 101.12 host ints a SSH connection a the 192,168.16 oti host. These wo ‘oss stare an SSH connection, If the Cio ASA allows this connect i crals tno eal ho objets (ca os 10.1-2an oa ost 192168, 1.6) aed one conection obec (TCP 10.1 121474 > 192.168.1622} tat slink tobe acl oso. Santee Sora Taal Gate OBExamining the Local Host Table Tis topic ses how to examine a aisha as le ——e Examining the Local Host lable «pay a youn on plone) ‘You can ws he show lea-het comand to examine the localhost sate ble Inte figure, te hos. 10.1.1 is how wi Now statiss, translations, and active comecions. ‘Youcan we the command clear lca-host 10 delete specifi local hast objet ora group of oral) eel tow objets, When you delet lel bst bjs, you abo destroy all th eomoction objects tha are socio with, duping the cureat network applications ofthe ost in ces, {ap agents Ga ape ay Se SRN GaSeConnection Table Logging “This opiedserbes connection abl pig. cs | Connection Table Logging ‘The Cisco ASA wi, by default gfe cesion and dean foal bes and connection jects, ‘ase ine ‘ a6 256 2000 - By deft, when you enable system logging onthe Cizo Adaptive Scary Applian, the appliance logs «venta signal he creation and dein of cal bot and ennetion objets. The security appliance les eatin and clton evens of cal os! objets tthe debugging (7) level by default and he eration of ‘and deton of eomneton objets atthe infrmaional (6) level, Te example output shows a sequence ct state-changs messages tha the Cisco ASA geerts fora shor-fved connection Inthe example, a TC (HTTP 8) outbound coon is etal betwen th 10.00.00 inside host and the 17216.1.254 use host. Bee this conection ould occur, vo lc hast object were reson fe th 10.00.10 hos and oe fre 17.16.1254 hos. The conneton soe down a tie ‘vo lz host objets are deleted. —— SSS Ta Cama re aeInterface ACLs ‘Thistopi esrbs Cis Adaptive Sccurty Appliance interface ACLS ————_—e——O Interface ACLs Ceo ASA interface access res con netvrk appatons trough the eran, Based nip route eto = Bae on O81 Leer eur tian obese) rs Based OSI Layer 4 sores ar destatn prt) rasa lvertace secs rs cetemine which new connecons can ener the ‘applance conection abe. orcs ccs ony coos net ae. Altattamtng on pnc e o spate marapemet = Attia fun apne emit _ ‘Cisco ASA inerfice access ules arth most commonly wed access contol mechanism onthe appliance. Interface acces les ernit or dont allow (deny) newark applications o establish the sessions rough the security piace based one llowog information: ‘+ Theinputorotpt appliance ineface of te session + OST Layer3 (source and desination IP des) even + OSt Layer (source and destin port or service rites fictive, interface aces rules determine which aew coonection an eter the Cisco ASA connection {able Ifa packet arrives ata applic inerface tht doesnot long tan existing conection the isco "ASA compares the packs oth nteface sass rus. If hese ules permit the packet (hat the network ‘pplication, the connection tats inne by this pocket eter thecamnecto abl. te packet is ot Pemited the packet and its associated pplication session are dnd. Insfice access ules control nly tans tfc trough the Cisco ASA—thats, afi tat terminates o0 2 st Beyood the applies if Ineface acess rales donot cote ic that terminates on the security plinne ise, sch as VPN tunes, management potcns or ICMP tific ote apace. Tae pen Oa pte Say So == —— oo oo oe=— = oo i 1 0 t Interface ACLs (Cont,) Interface access rules are perntrtace ordered ists of permit and deny rules that are evaluated sequentially rom the top. ‘The eth mechs fet selected. The ue hen sop matching further eis. ‘+ Theeis.an imp deny deat the endo te res + The sco ASA irface acess ues ue nelmasks instead of velco ton [Source Destination Acres ON Rasen The en 0260 Jay 3 101102562850 2 se00%s525600 lwertooeasoes rales aan ordered list of permit sd deny rales tht reapplied wa pela Cisco ASA, inrfce Esch apliane interface pial has sown sept eto interface access les. ‘The rulsa is evalted sequen om the top and tere tha fist matches the new comneton is ralated. The conection ithe ermited or dni. When aulemmatches a connection al susequcl rales reigned ‘Theres an impli invisible) deny ule athe nd oth ier sees rus list.Therfer, anew connection that does ot mach any of he rsdn. ‘This example shows simple set ofinterice access ules. The rt denies th 10.1.1.0724setwork nd oes not allow ito make any cacnectins othe 192.168.1024 network. Te next two ules alow the 1011.04 ntwor to make SSF connection othe 172.160.0116 network and HTTP connection to ary bast Aloe connections ae inplcily dei. You ean apy ths se of iterac access ules to connections tht ave ote mst tse interface ofthe sour eppliance fom adjacent aware. ERT Oa Samm e BaroneInterface ACLs (Cont.) Feral stately managed protocols and applications, the Cisco ASA interface access rules only need to per the inal | packet ofan application. ‘Because the Cio ASA is tatflpacke-Ateing deve, ts itera cess rues lyons atefuoess to simply rleteaon. When you reste interfceaoess rules, you oly ned to pei te inal packet ‘ofa network aplication i he sey eppliance ssf inspects tha application Therefore, your nerface accesses do not ave to consider these conditions: ‘Any trafic Dawingin the reverse direction ofthat connection: Bees hese packets bong (othe ‘same flow, the Cisco ASA astral permits them ithe match th properties that ar expected from them the eoancton able. ‘+ Any additonal connections or ows that his application may establish: Because te Csco ASA is ppiaionavar, i auonatcaly permis any ational ennecton of te same spicata session ifyou pri theta pake of he session. Inthe figure, ts 101.12 ost wast stalin SSH session with th 172.1618 ost. As th inl ‘SH packet aes a the Cisco ASA, the aplisnce compares his packet tits eoaneton ble and fins tbattisa new consecton. The packet is compared ob incrfce aces rules tat ae applied contol session ving on he inside interface The rl that is shown in the example permits the eoanction, the security aging erets lel host objects and cenaeto objet Now, the spline: petal packet of his peste SSH session instance. “Ta pone hs pe Sey Sais Sai GaSe Fe — eeoo oe oe —— Interface ACLs (Cont.) youd no apy an tere access eset oan ince: ~ A¥outound (1, lowersecr-vt eras) comets or tsts ‘nal ntsc pia ‘Alloteund (a, tiger sect elec) connects rats ‘nth rcs we deni + Youneetospeicsy sow connect: = Betneniartce wh tsa sills = Insndeot se erace At such creche scone bye ccs es of he ‘oan arta. However, applying nerfce ACLs on secur aplonceineiee i optional. fyou donot apy interice secets st specifi interes, the appliance applic a deat ces policy: + Allconnetonavng oat interface ht re oe ones with ower curity lv than the incoming intetace (outbound caanectons) are auomatically permite *Alleoonetonsrvngon he intrtice tht ar rotd to interes wit ighe security levels tan ‘heincoming intface (inbound eoeactons) re atomically dei Assigning the same security eve to two tries oft mpi tht you want prevent any connctvy >erween te interfaces. By defile Cisco ASA doesnot ll ay application ail pass econ serfs with he same secu lvel. ven if intefce aces rules would allow th taf. However, you can use the global coefguration command same-securty-(raffi permit io globally enable communication between meres wih he same security level. Ifyou cable his communication, he fis lowed io ow beteen hats on bo interfaces without a acces st, However, her teady an sees ton «ther inrfacs, you mst ponte required enanestios in relevant neice sees les, Communication in and out ofthe same intercon seed in certin VEN scenarios. By dius isco ASA denies such communication. I needed communication of the se secur level in and ot of ‘sams interface can be enable by wing a plablcotguraion command hts discussed athe interface configuration lesson. you enable communicative between hosts nthe sume interac, he atic ‘allowed ow boveen hosts witout an acess ist. However, there is alicdy an acess present on ‘he interface, you mst permite equied connections in reer ince access ue, —— Tancmiaem re Tecon aesInterface ACLs (Cont,) ‘cesses ce opi boon it les ve ones fom ot on a rc tent Odptre goer creche oa ace ‘tay gots le gre a recs pani tah Co ‘katt oy ote “Tobe pei: trough he ASA, anew appaon rust Parmitad nal cae nescence a atry decn. soi “You can apy interfice aces les nthe input or ouput direction ofa Cisco ASA interie. You cn also ‘optionally spl global zess le. You can use lol aces rule fo con] acess oa interfaces on ‘the seer appionce only in he input rection, “nerfs acess that you apy on the inp ofthe interfce cont the connections tat the security _aplianeaceps rom bate on intere eric aces ules that re pid on the output ofthe interface conto th coenectonstht ae about to be forwarded o hast on tat interfice. The global access rule if configure, apples tll achat doesnot mach ay nterfice cesses. In igre 1am applince ewig for et ofnterfce sects rules Teed and purple ows (he vo top stro represent ace rls tht re plied onthe input of he ouside ad inside interfaces. The ble and yellow aon (he two boom rows) represent aces rules ht are applied on the output of te ouside nd inside trices, This configuration ino a representative or comeon seer appliance ‘configuration; its an ilustraon of one possibilty of iter sccess ule deployment ‘When anetnork pplication equirsacas through he Cisco ASA. yu mst permit inal cess rues that ar applied nthe direction ofthe session across th spline. In Fig 2, an application sessions inated fom a host on tense iter host he oti interface. For this esion to be permite through the security apliance, you woud have to pei tin the inp inerfce aces rules on theinsid inerfice andi th ouput intrface aces rules onthe outside interface, bth of these ules are corfiged on th appliance. ‘Tae eg Cis pea a SO DN Gea Seem He= om oo = oe ee ee es Interface ACLs (Cont.) ‘A common strategy is to use ony input rules onal intertaces. ‘This stotegy quarenees tha all appcaons pas trough inatace access rus exact once + Insome re situations, up es may be easier o implement “osimphify the Ciseo ASA configuration, you cn use onl int inerfce aces rales ad ply separate ‘eo inp interice resto cach applisce nerf, covering al interac, This coniguraon shilsopy gurantee that each network apictio that pases through the Cis ASA doc ohrough ‘aac one se ofnpt nerfs ues on its incoming interface In Figure the seri plince is ‘configured with fur ets of nerfce aces rules, each of whichis aplied on th inputs parila ‘tric. When an application its fom 2 bst onthe ez nerf, must be pete oly by he input inerice acess ues 0 the dz intra. Fare situations ity be hpi also ue output interface sees rs In Figure 2, the Cisco ASA is Acess Rules ‘The Cisco Adepive Secu Device Manager Acces Rules bi corsoiaed view ol interface ‘sees rls tnt are configured and aplied on he eer applic inerices.To sce le Aces Rules table, choose Configuration > Firewall> Acces Rules. This figure shows the deft view of he Access Rules able an aCiseo ASA that does ot hve ay xpi interac aces rs or any explicit global acces rls configure. With no explicit ues, the seni appliance permits connections ta ive on inf, if these connections re odo ‘mertaces with ower seu levels. This behaviors insted b the implicit permit ineaming rule o the ‘DMZ an inside inerticesas shown inthe figure lerface-meci access rales are vated before the loka aces es, ‘he fig also shows thal there ar no separate ACLs for Pu a IPV6. The ASA supports wifed ACL for Pan IPs from iso ASA Software 9.0), whee Py and TP ACL entries na single ACL, or you can even mx v4 and 1Py6addeses ina sitgle ACL entry, ioe the Cisco ASA Sofware 9.(1), Pv# an IP ACL were conigred separately, ee Tin Ca ae Tete aConfigure Interface ACLs (Cont.) Task 1; Confgure Access Rules onan Inerace + Configuration > Frewal> Acces Rules “Tak implements te fin inerficeseces rl, which allows the intemal let (10.1.2) faeces the extemal server (172.16. sing HTTP. When no explicit rules reconfigured on «Cisco ASA scotty ‘pplance nerfs, you must adhe inal re tthe interac am ie So edi ele ws ee an, eae ot he dst nde ert uncle neers ale ea pau ‘te ae tro des Roe ben cre onan nace, Yo es oe et, te set open ret Fellow hse tps oats aces me: 1. From Cisco ASDM, chose Configuration > Frewall> Access Res, The Aces Rules pane! appa. (Click Add snd choos Ad Access Rule fom the men The Adi Access Rule window appears 3. Verify hth interice to which the ule wil ead ithe asi inerice. ‘Choose the ation tt applies tothe rly licking the Permit or Deny rao buon. Inthe example, Permits cosa 5. Inthe Source Sl eth TP adress fo which fics pei or denied. You can ao cick the eligi.) button o chose an ares from predefined lis. To specify aot ares, you can ale 32 forthe subret mack or you can etre IP adres without subnet msc. To speify a network adres, ener the sabe mak in lash potaton ter the IP adres. Inthe example 101.12 Fsthe sure adress. 6, Inthe Destination fd ctr te IP dress to which fics permite or denied You can aso cick ‘he clips (buts to chase an adress fom 2 predefined list. To specify abs adress, you can ene 32 forthe sbvet mask or you can ener he TP adress without subnet mas. To specify a network adres, en the subnet mask i sath ott ster he IP adres. nthe example, TTLAGI.8is the desinaton adress. 1. Specify the service x proocl forthe ule inthe Service id. You can so clckthe ellipsis) baston fo choot save fom predefined stn the Figur, TCPMTTP is ented ‘Tia eae Sawa eam fos SSC =— =ee ee ee | = = om 8 Optioally, you can enter description about th access rule 9. Opinai, you can sable the logging fnction wich is enable by defo 10, Expand the More Options section to configure aol seings forthe ule. 11, Verify tate Enable Rae chock box is checked (which te defi). 12, Verify tat te Trafic Direton Inada bam is ike (wish the default). You can apply only one set of acess esto each eton of an nea. Thsrul belongs the inpt st of ales on th inside ners. 13, Click OK to los the Add Access Rue window, and lick Apply the Access Rules pana Configure Interface ACLs (Cont.) Task t: Configure Access Rules onan Interface (Cont) + Conguaton> Frevall> Access Rules Ine second part f Tsk I, ceate an acces le on the outside inerfceopeit nba FTP ‘ssanatviy fom a extemal client (17231.23)t the itera FTP serve (10229), Fallow thes sp 0 configure tis cee rae Follow thes steps ad hie acces le: |. From Cisco ASDM, choose Configuration > Firewall> Access Rules. The Access Rules pe! spp, 2. Click A andchoose Add Access Rae rom the men, The Add Acces Rule window apes. 3. Verify thatthe interface to which te rule willbe aed isthe ouside interac. 4 Tochoose he sation that sples tothe rule, lick the Permit or Deny radio but. nthe example, Permit hoe. 5. Inthe Sour fe, ener the IP ares ofthe extemal hn. nthe example, 1723123 isthe sore des. 6 Inthe Desinaon el eter te IP adres ofthe itera sever. Inthe example, 102.29 isthe esination ads, an itis not being tana, 17. Spsify the see or prooal fer th in he Serie field. You ean alo click the elipss(.) tution to choot serie froma pedfied is Inthe Figure, TCPFTP is entered. ee Sr SaaoieOptionally, you can entra description abou the aces rule and you can disable the logging function, whichis cabled by dean, 9, Expand the More Options sation configure atonal stings forthe ule. 10, Verify tha the Bnable Rue chock box chesked (which th ef, 1, Verity tha the Tei Diresion Ia ao batons licked This bce cuss ule beong tothe Jnpu set fre 0 he ose interface (which isthe deta. 12, Click OX to close te Add Access Rule window, and tick Apply the Aces Roles pane. | Configure Interface ACLs (Cont.) | Task 1: Configure Access Rules on an Interface (Cont.) + Conigraton> Froval> Access Rules To complet the configuration part ofthe fist tk, nsert explicit deny athe end fall interface ces ruleset. Ths confguation i optional, bat recommended, becuase italows oe to tack the number of denied pockets. The explicit denyall lis needed to monitor hou statistics, ‘Tocrestethe explicit dena le in Cisco ASDM, use the Inset function tht eres ew ru ina particular loan inside a rues. Pom the ist f rules, choose the ul befor or ler whic you want 0 Insert merle. To inser ane rl before the selected rule, choose Inset fo he Add dropdown ist ‘The Inert Access Rule window gppers. Toast a nw rl firth selected rl, choos Insert After fiom the Add drop-down ist. The Insert Aer Acces Rule window appeas Follow these sep to ree the explicit deny al ul onthe inside irae: | From Cisco ASDM, soote Configuration > Fireall> Access Rules, The Access Rules panel pees. 2 Choose nd right click the st explicit le on the isd interface. Choose Insert After om he pop- ‘ypmenu The Insert Afer Aces ule window spears. 3 Complete he Insert After Aces Re window using the fllowing vals + Verify that be interface o which he ue wl be apd isthe ouside trace. + Action: Deny + Source: any inate al possible dieses) Ta inning ti Fp tae a kes rr o_oee ee a + Destination: any nites ll possible adresses) + Serie ip inital posible PSased serves) ‘4 Optional, yu ean ener description bout the aces le nd you can sable the logging fntion, which is nabled by dfaul, 5, Expand the More Options section o configure eto eings forthe (nt shown in he figure 6 Verify thatthe Enable Re checkbox checked, which she defo (nct shown inthe Sigur). 1. Verify hat the Trae Dieton In ratio ton i clicked, which ste det (oat shown in he fig) Click OK to clos the Ad Access Rule window, and cick Apply inthe Access Rules pate Repeat tee steps o create an explicit enya leo the ouside interface. Configure Interface ACLs (Cont.) “Task 1: Configure Access Rules on an Interface (Cont) ‘Configuration > Frowall> Access Rules eee | ese zane ‘This Figue shows the resin interface access les tat appear afer you compete Task * Ase inerice aces ues on th isd nerf, pemiting a specific abound HTTP session ad explicit denyng al cher wae, bas bee ded The plicit inerface acces ul tht pert inside IPs wait the ker scary level, inerfces hasbeen removed. *Asetofinrce aces rues on the outside nerfs, pemiting a specific inbound FTP session and explicit denying all ote tai bas been added, Fan eS ne—e oadConfigure Interface ACLs (Cont) Task 2: Opionaly, Configure Time Ranges In Tess 2 and 3 ad inetd aces ule to your ruleset to implement the tine tased requirement of the access pol, For Task 2, create tine range tht pees when the ine-based sxe ule is active. Forte corigurton scenario of his tpl, reste a ine range hat cia the acess rule on weekdays fom 8am 10Spzn. (800101700, Follow thee sg to creates tine range: 1, From Cisco ASDM, cbose Configuration > Firewall Objects > Time Ranges 2. Click Addi anew imerange. The Ad Time Range window apps. |. inte Ad Time Range window, enlera name forthe ime range (WORK-TIME is sd in he example), optionally, pei absolut time boundaries that appl hs ange for example, 2 staring det ands ending dt), Bosnuse you ae creating a een ime range witout absolute ‘bounds, choos the Start Now and Never End boundaries. “4, You can opin spcity on more recaing time ranges inside th blue ime neal that was Frewll>Acess Rules ‘In Tak 3, apply the etd time ange ta newly created acces ul inthe rues. this cena, you st cnfigaeaime-tasd rule ha allows he internal let (101.12) acces th extemal seer, (172.16,18) using SSH only ding the congured time range Follow thes steps rata ime based le |. From Cisco ASDM, choose Conigraton > Firewall Acces Rules. The Access Rules pone! ‘pean, 2. lick ruin te existing reset before which o fer which you wal toad th ine Basse. In ‘hisconguatin sensi, you neo permit outbound ennetvy fom te internal never: ereor, you mst add an nt pemit ral before the explicit dey-l rl on the inside interac. Rightctckthe exit deny al ule on he inside ites, al chose Tet fom the pop-up me 3. The Insert Acces Rule window appears, Eater he folowing value in this window: + Verity thatthe interac to which thera wil be spl isthe inside interfce + Action: Permit + Source: 101.12 + Desnaon: 172.16..8 + Sewice:TCPSSH 4 Opinaily, yousan entra description about he acs ral and yu cn disable he losing futon, which is enabled by defal ‘5. Expand the More Options section o configure sional sings forthe ale (nat shown inthe figure) 6, Verify ht he Enable Rl lec box ischecked which sth deft (nt shown in the figure 7. Inthe Time Range fi cick be lps. batton and coor th time rane that was defined in the ‘previous task (WORK-TIM inthe cramp). Ths rues aie ony when he ime ange is active (ati, when be sesuriy appliance loa ime matches the condons hat re defined inside eine range eject). eS Tamme re oarClick OK to close the Add Acces Rule window nd click Apply in the Acres Rules panel Configure Interface ACLs (Cont) (cL Configuration ha ae described the able. ‘ine range WRITE Cra ecg ne ange Paro woes 800 to 7:80 sccees tele sense romarkAow HTTP [Ces an ACL. fromtas42t0 ates ecesoinide sees. extended peep host 0442 hos 172.1618 0q wer szessstinid_ accesso remark Allow SH om fertiate 21648 dung work hore cent In sesuesInenanded por ep feet f01t2host a 164eq aehtinerange ‘WORK THE eat ni_ scars Jo extn dy pany ‘coarse secessnremekAlow FTP | Goss or AGL ‘eeas rom 723129 010220 ‘Sreassatcutsi access nextandedperitcp oot 723129 oat 10225 e419 ‘rces-povp odaln_pocer_ nntaace ctl | Apes ACL heres in Wamu dreaion ‘ecese-goop lds, sezess nn ace “Tae gC Ep ae By Sao a aya= ee ee eat Configure Interface ACLs (Cont.) Consider the flowing implementation guidlines: “tis recommendes tat you apy ACLS tal isco ASA saxty ‘epee inlofaces and implement leet rvige poly. possible *Thesinlest and olen mos! elective satay io apply ALS Inbound aphinsneraces + Place your most speci ues athe begin ofthe nee nase + Usea deny. cause athe endo very ACL fo gue stasis, ‘When yon plement sces contro onthe Cisco ASA seuritysplance using inerace ACLs, consider the following inlemeataton guidelines: + Consider spying interface aces rules on linet and permitng aly the inna equi st of services, Tis apprach enfores a minimal acess policy, which cn be effetive in preventing Doth ‘oom and yetuninown acs, Some organizations may contig the Cisco ASA scary splance ina mor rele manner to increase manageability, te number of ales would thers be lo. high. Configurations of tis type scaly increase te isk o which edpins are expos + Gone th simples! and nos ffctivestegy is to se only inputinteice access rus hat re slid tall scour stance interface. This approach guaran tht ery conection always ses hough one eo interface acces rules I also preveas ue dipletion on mule ners + Aswih any soe rusts its eeommended tht you pce your matsp rs tai rules that gover specific hss ar servies) toward the tp ofthe ruleset svi overiding them with more- ‘poner us, Ina interac ezess ues itis recommended ht yous an explicit ey al statement a thc of| ‘heist to guberstatsics on ffi that is denied ud to observe whic ais eng dened by this specific eal ue +The Cisco ASA security appliance sno hard-ode init om th arb of mets (ACES) aan ACL. Themis sed onthe ancunt of memory hats arable on the euityaplance, Us the show aecessst include elements command ose how many ACES aro the evry appiane SaasVerify Interface ACLs ‘This tpi deseribes how ove intrfice ACL Verify Interface ACLs + Configuration > Frewall> Recess Rules ‘This gare shows the fal iso Adaptive Scary Appliance Access Rules ble andthe coresponding interfoe aces rules hat implement the desired poly. The Hillis aubmatcally update to show the umber of ies tat trafic has mache a prcler le Toe Yeon mesa reac naw cmc rab dos a mala len aparpace tose Tap penny ns Egat ay Ston Da Sea — oe‘omen we men * i) = ee ome ee Verify Interface ACLs (Cont.) mate ae a | seth show acest command fo view conigared ACL, The show acess command lial ofthe configures ACL. the ACES fr each ACL bit coun for each ACE, anda unique hexadecimal deatier (bas) fr ech ACE. You cn ase this nme to mash the ACE tht appess nthe syslog ouput. the ge, the show acess command is use wih he argument ofan ACL ame it displays only the ouside, sezest i ACL. Thee ae two ACES in his ACL ne fa remark (Gestion and en 8 tetficconolngpemit ACE. Novice ht he acest comma in the figure are ised by ACL line umber. The ne number hat appears with show aezeststisotonal when the ACLs cnfgued fom he command line Ifyou. do nt speci the ine mumber when you ent the secs conan the ne mumbers asin by the operating sytem and paced a then of the ACL. Exch individual ACE is giv unig ie unter vwilinan ACL, Sa casper Re‘Global ACLs “This topic deserbes Cao Adaptive Sceusty Appliance global ACLS Global ACLs + Glob ACLE were inaduced lomeke acess aly congraion entee + Globa ACLS have the folowing characteristics: "We ACES ae defn ine ae meer 25 ara ACLs. lp ae tbe mac an ou ACL at congue oan Ietace wb compared gana gba ACL. ‘orn ACE hs ben aides abe ge ACL, alle tat pease ered ‘Apri sleet send a ir gota ACL anata ‘6 ayes be lowed rush space “The lol ACLs of Cito ASA make case fo manag the acess ole configuration. ‘Afr you define gol ACL policy alk default intercept aces policies (which pemit aie fom hghscuriy- lev imteracestolow eure interface) are removed andthe global pty is ed foral inp trai I you want odie specif irae acess polices tat ie fom the global poi, you mis configu interface ACLS ‘Youd ACES tothe bl ACL in he sre way tht you ad ACES to inerfae ACLS. The globe ACL iseecke nly when te maualy configured inputnerfac= ACLs do not ida msc forthe inpat packet. Inerace ACLsar always matched befor the global ACL, “The Cisco ASA ses the following order o match acess ules whem only interface ACLS are configured: 1. nets acess is ules 2. Implic deny ip ay any interface aces ist ule “The Cisco ASA west flloing order lo match cess ules when both nesface ACLS andthe global ACL are configure: 1. Interfaces les 2 Glob acess ist les 3. Tpit deny IP ary any global aces His le Tas peng Cs Ep ot ay So Soarsee ee Configure Global ACLs ‘This tpi eseribes ow 1o configure global ACLs, Configure Global ACLs To configure Cisco ASA global ACL, complete these tasks: 1. Create gba access res, 2 (Oplionly) Create rteiace ACL resto ovwide global ACL ‘Toconfgire global acess es, perform the following ak 1. Creat gba acess res, 2 Opsinaliy create a interes ACL to overidepemisions inthe globl ACL. In this configuration cenarn, yn wil sip the sets ole oniguton by using glbel ACL with sninterface ACL. You will ply a global ACL statement ht allows FTP from al hss othe FTP server 1192.18.17. By using global ACL. you wl ot ced opt pif rls onthe ets or inside Jnertiesto pei this al. ‘You wil aso pp an ACEto the input ACL on te inside itera t block all FTP taf om he 101.1024 subnet wich preempt the global ACL fr only tht specifi taf, Allow ll ter tai fom he ini interact the DMZ nerfs andthe outside ntfs Simeone RaceConfigure Global ACLs (Cont.) “Task 1: Create Global Access Rules CConiguaton > Firewall> Access Rules “The firs ask ofthis ease tay configwation iso implement the Fist global access ule. This lbs access ule shoul allow any lien oseces the server (1921687 using FTP. When no explicit loa access ‘ules reconfigured ona Cisco ASA ster splines, you mut athena rule the global acess re “Follow these steps to dt fist cess ale: |. From Cisco Adaptive Security Device Manager, choose Configuration > Firewall> Access Roles, “The Acces Rules panel appears: 2 Select the pot implisit le, lick Add ard choose Ad Access Rule fom the men, The Adi ‘Aces Rule window appears |. ler te following vals to complete the Ad Acces Re window: + Inert: Am lerace = Any means that the ACE spr of be global access ul) + Action: Permit + Sources any + Destination: 192.1681.7 Service: epitp (You ca also click heli (.) bution to choose a sevice foma redefined i) 4, Click OK to close he Aad Astess Ral widow, and click Apply inthe Acces ales pane Ta peng Cs Es ayConfigure Global ACLs (Cont.) ‘Task 2: Optionally Create an Interface ACL + Comtguraion>Firewal> Access Rules ‘The second tsk to implemen the fist insite aces rule wich should deny any cient fam the network 101.1924 from accessing FTP fom he inside inertcs. Whe you configure label acess ral ll ie ef mere policies are moved (permit taf from high cur level to low security level) 0 You ‘mus erate the ierae acces policy for he ise inrfce. The ASDM Actes Roles pane in he ee shows esl of configuring» global aces rule. Fellow these steps to adéthisinerice access ue |. From the Configuration Firewall> Acces Rules windows ci Add Access Rule. The Add Access, Rule window appears 2. Click Add and chose Add Aeces lef the mo. The Add Access Re window opps 3. Enterthe following alert compete he Aa Assess Rule window: + Inerfcsni + Aston: Deny + Source: 101.1.004 + Desnaton: any + Service: ip (You cnas click th ellipsis.) ton to choose servic from apelin i.) 4. Clik OK wo cos the Ad Acces Role window, aad click Apply in the Access Rul pan ‘Sai ies Spam a— Configure Global ACLs (Cont.) “esk 2 Opionaly Greate an interface ACL (Cont) + Conigrtion>Feval> Acces Rules {Inthe second prt ofthe scond ak in this eoniguatio scenario, you hae fo implement te stcond inside access le whieh shoud peal ther afi rom the inci ita. This asks very important; ‘hot his ACE all ote input traffic tthe inside nr is ened Beease ofthe implicit eny any ny global ccs le Configure Global ACLs (Cont.) LI Configuration ‘To confguegoba iterfice ACLs one Cisco ASA device sing command ine interface ws the commands tha are deseribed in the abe a asi a Lape aay als orsveces nh ted 7 fetaaaseas te mnyeqtp ovo | res atin sc ted et anyon ‘cee gal aces ened ping [ reson any host 192.168.1.7 eq fp aah ac SasVerify Global ACLs “This opie dseries howto ves lobal ACLs Verify Global ACLs + Configuration> Frewall> Access Rules “The expe inthe figure shows a loblacess policy tat allows FTP trafic om anywhere othe sever {4 192168..7. The example al shows an interac specific input access policy tht denies FTP rfc fiom te 101.024 suboet, bu: allows all ther wae. Based on this coniguatin, he flloing ac acces policies are spl + Talicenterng the Cisco AdspiveSeerty Aplin on th inside intface sourcing fom subnet 10.1072 with any FTP cestiation is die 1+ Allotier trafic entrng Cisco ASA 00 the inside nerf is alowed. + Any FTP trafic enering te Cico ASA on ny interface with destination aes of 192,168.17 pemited. + Allother tafe is ropped Cea Be Heee ee ee ee ee) Verify Global ACLs (Cont) Simitatyaswith he interare ACLS, you can se he show access commando display content and stains forth lol ACL. Co Rania‘Object Groups “Tis topic éesrbes Cc Adapie Seeury Appliance object groups. Object Groups ‘Object grouping allovs you to create reusable bundles of addresses and serves. “+ You can then uve tose buns (tject groups) inside access es You can use nes 6 ul hierarcticl gous. ‘soto interac access rus an ens the Cisco Adapive Security Applince to permit or deny 2 ¢esignaed bot io oeess anther paiclr host with specific network aplication (ervie), When there {sonly on lent, oe bot and ane vie, younee ely 2 minimum number fines nan interface rule fet However, asthe amber of eens, server, nd services nereses, the number of rls that you ned for cach nivel azess type can incase and become unmanageable. ‘One sclton fortis problem i to goup specific hss ino networks (sets) and wo llow entire nstworks toaceen sue. You can alo lle cmplte TCP, UDP, oI oonnectvily between hot, insted of ‘Speci inva series. This approach subypimal becaoset departs rom he philosophy of Iainimal ces, which creases risk whe allowing unnecessary conecivity. ‘Abeste apponch sto inode objet grouping. Tis solution allows youo arbi group oss, resouees,or eve tht share the ame ole, which optimizes the acess rls. Inthe table, host 172.1612, 172.1634, an 172.1656 ae grand SSH and FTP acess to st 101.12 andthe 103.0116 netvork Norma, 12 inividulnerfce access rules would be eqiel to specity this policy, tng individual host an polices, However, ifbsse oss regrouped sa sure rp, & testnaton group, an a sevice gow, oly single aces ral is required to reference th three groups. “Fie tent Sa Ea Noa Sas Sows t t I I q i t t t t i I I I 1I i I I i 0 1 —_ om Configure Object Groups This top dserbes bow to contig ajo psn th ico Adeptive Seer Appliance. Configure Object Groups To configure Cisco ASA object groups, complete these tats: 1 (Cptenaty Caste net tots Create ner tet ups Crate sees beet rns se cj gepsin acca des 2 Conse these optional asso crete objects sd objet groups, nd ou them in your cnfguraon: 1. Creat individ! network bjs hast network, ar ett rang) and asign them a mame. This ask is optional and is used ont inrease the rei of your configuration. yoa would rather sa IP asses to visualize your poly, you can bypass this sk These two objets are abo sed inthe WAT configuration define taal hat 2. Cyese groups of esta wil shar common acces rule by defining the members of netwok bjs grup. 3. Crete groups of series tht wl sare a common acess rule by defining the members of snice object group. 4 Apply the object roup in pci interfice acess mle. You an use objec groups aces le ramets inluting sre, detiation, and eevee. —— Danae Fe naConfigure Object Groups (Cont) Configuration Scenario: yn) “This igure presents the configuration emai that is wed in ypeoming configuration tasks. The secrty appliance cnt traffic baween an era enterprise network thai comnected ove tense interiace ‘aan enteral network tat icone over the outside inerfce. “The Cisco ASA shoul enfore the following ccs policy: An feral client (101.12) a antral -sbne (103.0016) sould bots have gemnanet HTTP, FTP, DNS, and ICMP png access to group of extemal servers (172.1612, 172.1634, and 172.1656). Configure Object Groups (Cont.) “Task (Optional) Create Network Objects + Gonguaton> Few» Object > Network ObjctlGoups In the epiona Tsk | een wendy nares td desrpions forthe network objet. “Tas penning Goa Nava ny Eos Daait Sa Sai q 0 t Follow thes steps to crete named network abet using Cisco AdapiveSeerty Device Manager |. Navigate to Coniguration > Firewall > Object> Network Objeets\Groups to administer network objects 2, Toadd ance mamcd network object click the Add baton and choose Network Objet. The Add Network Obj: window appears. 3. Inthe Ad Network Objet widow, enters name forthe abet (the name anno contin sacs), ‘hoos network abet type fom the Type dropdown it (Network nthe example) and exter the IP ales, IP subat,o I ades range tha the network ober represents, You ca alsa we ‘ienly dscigtion ofthe objec, 4, Click OK to clese the Add Network Obj window. 5. Click Apply tosply he configuration Inte figure, a network objet named Clint Networks crested tha references the 10.3.0.0/6 inter ewok Repeal these eps coniguratinal etwark objects if ede Configure Object Groups (Cont.) ‘Task 2: Create Network Object Groups | + centiguraton > Feewal> objects > Network Ojet!Gcups ‘Ths figure shows ve esiom network oct that were add fo te plicy for ths configuration example (Cleat Neterk, Cis PC, Extemal ever A, Extemal server B, and Extra seer_O), In Tsk, eete network objet groups to proup bata Paes or subnets, ona network objects tht were crested inthe previous sk) at share the same sees rl, citer a eure or Firewall> Objects > Network Objcts(Graups to aininister network objects. 2 Toadda new eavork objet group, clk the Add bution and choose Network Objeet Group. The Adi Network jst Group window spears. a Baile‘3. nlera name forthe gop in the Group Nae eld, The group name canbe vp to 64 characters in length. The name must be uiqus foreach ojo! group. A network object group name cannot share 2 name with Srvc objec group. nthe igure, te network objet group i named Client group 1 44. From he Existing Network Objet! Groups ist lk th objec that you wan to add tothe group. ‘Clisk Add fa named chet or addres at you wat to adi not in th ist cick th Create New Network Object Member rao button crete an objet in rea time. lick Add to ait he bjt group. Tah gr, he xing Clent_Network and Client_PC objects were added the (Client group, 1 setwok objec group ‘5. When you oe fio cig window, ‘6 Click Apply o apply th confguation Repeats procedure orale network objet groups hat you ned to create. For this example, you st rea anther nexwork objet group (Exler_serves isting tere network objects that represent the des extemal serves the adeno, is OK to clare the Add Network Object Group | Configure Objact Groups (Cont.) “Task 3: Create Service Object Groups + Confgurtion> Frewall> Objects > Service Groups Task 3, configu sevie objet wou that reused to roup al serves hat are pit or ened by piu interface access re, ‘The Cico ASA suppotss types of service groups. Hower, his course discuss ony the mos geese and lib one—the IP sevice group, You can group any service nt an P sevice group; heretoe the IP service group obsolete all er ervce groups that wee wef inode versions of Cisco ASA software Follow tet sep to configu an IP service grou sing Cisco ASM: |. Navi w Configuraion > Frewall> Objects > Service Groups to administer service objet and service object rps. 2 Click Add The following list of serie types appears: + Service Object: Creates an IP seve objet. ‘+ Servie Group: Cxatesan IP sevice cbjet group. An P service objet roup groups svies ‘bed on sbiray protocols. cs the oly recommended service group tt you shuld use. {a puna Goa Navan amy Sas 0G —— om oowoo ee eee ee + TCP Servie Group Creates TCP service objet roup, which you coud use fo group svices ‘hat us the TCP peta, *+ UDP Service Group: Creses a UDP serie objet group, which you could ust group svces that use the UDP prtcol + TCF-UDP Service Group: Creates aTCP and UDP servic obj roup, which you cou we to _oup servers a use the same destination port over the TCP and UDP proocals, + TEMP Group: Crestes an CNP serie objet group which you could seo group vious ICMP series. + Protocol Group: Cretan IP service objet group, which you oul se o group IP proacols 3. Follow these tps oconigarean IP sevice objet group 44 Choose Service Group fom he Ad mens. The Ad Service Group window appear 5. Bnera name fr he group inthe Gro Name ld The name cin upto 64 character in exh. ‘Ta ame mst be unig foreach objet group. An TP eviee abet group nae cana state nam wih network object group. Inthe gu, the IP sevice bjt soup is mamed (Clens_external_ services, 6, From he Existing ServiceService Group pane, choose the members ofthe service abet group. nthe ‘gue the TCP HTTP. TCP FTP, UDP DNS, and ICMP echo sevice ave bee aed te vice object group nunedClients_external services, You cn choose inividal services froma podtned list basi om commonly used pr, typ, or protocol names. Otherwise, you cn ener new mb in the Create New Member ares To rele arew member, click the Crete New Member aia buton, spect th protool and ors, types, codes, o protocol numbers and click Add, 7. Click Add toad the group menses othe Membrs in Group pane. 8 Click OK to clos th Add Servis Grup window. 9. Click Appy apply the configuration ae Configure Object Groups (Cont.) ‘Task 4: Use Object Groups in Access Rules Configuration > Frewall> Access Rules EH I fi: rs BettaFinally in Tas ou can use the cet obj groups o develop granular and manageable interface ‘ces lcs Whcaredig rules in isco ASDM, you cn click be eligi.) buton tthe right of the ‘Source, Destination, or Service fel tselet n object group. This scion opens a browser window that ‘nabs you to cows configred objet groups to be wed parameters forthe aces rl, This window is ‘eed in mull cefiguraton eee andi named appropriately for ie cuent sk For expe rom the Add Acces Rule window, the Browse window s tamed “Browse Soure,"“Browae Destination," or "Browse Sevie"as sown inthe figure. You en als ere the object group are clit the Soure, Destination, end Service fis and you can ad multiple object groupe separ by comms, Inte fig, the previously configured object groups are wed to create an cess ule follows 4+ The ston Pei nd the ul pr ofthe inside inefce input rest, + Thescuce cation the Cen. group_I network beet group that you created +The desinatce conditions the External. servers etrk object group tht you crested. +The service conion the Cents external. serves IP serie object group tht you creed inate Vou cot do cj grup Fi prt of an eve re bcs smal woul rest be absorp val Configure Object Groups (Cont.) ‘CLI Configuration “To configure netork objets onthe Cio ASA device wing command ine nerfs, us the commands that are deseribed inthe abl “Tar ape es Ea oma Say Sos Sa ceabet eter host T1642 senso rae lent PC [rene a neon cer aoa. eacsipon Specie cet Enteral sane A rss save opt ra as Configure Object Groups (Cont.) ‘CLI Configuration (Cont.) “haste diet pan GAS device wing command ie nterfice sth commands that axe desrbed inthe Se eee Sinica eonigrs a ACL at ues rawr nd seni ee ee ‘Fae pennants ap tem Soy So SECeee ee ee) ee) Verify Object Groups ‘This topic describes how to ey cbjot groups ome Cisco Adaptive Security Applian Verify Object Groups + Confguraton > Frewall>Acess Rules = ew Adresses + View > Services ie nie ee sa, ‘To verify the configuration of your objest groups, inspect the Ades and Series view in theCico ‘Adaptive Security Device Manager and cross-eferencethe groupe with the Access les ble. You an expand al object groups te dipay al the members to easy verify uc acuacy, eee Note Eilirg conte fan je rep elma ups ply of anya Ballons he jet grup San Gee eeeVerify Global ACLs (Cont.) 1+ Cisco ASA wal expand objec grupsin ACLS ‘When you use te show acest command onan aces ist that wes objet groups, by deft the Cisco _ASA expands al objec groups to create inividul ACES fr each combination of object group member in ‘ane “This ure illusraes the beginning of he expanded ACL. that was wed inthe coafgration scenario, In lie 2 of the ACL, youcan se the expansion tha the security appliance crested forthe bjc-group-based ‘ACE, which cree invidul ACES th deseribe members of th objet group. This sittin i ofen beef beats you can observe rule for ndvdal objet poup members tackle ts by the indvidual ACEeaderial dete, Te teeta Gas tigimmntnan ies —SSCSCSCS~SCSC«— Troubleshoot ACLs ‘This tpi describes how to woublesboot ACLs nthe Cisco Adapive Security Appliance. Troubleshoot ACLs ‘Troubleshooting Tools ‘Totoublesoot sues tht arrested o basi aces con, you can use st of Cian /ASACLI and Cisco Adapive Secu Device Manager verifiation and debugging fexures. The gues some omen commis and fetes tht yoo might Find useful ring th troubleshooting session Typically, you wil examine why a particular sein cannot be established through the eer spplianc. Troubleshoot ACLs (Cont.) ‘Troubleshooting Fiow Tate Sem‘This figure shows the recommended sk low for toubleshooing basic acess conto though the Cisco ASA sui appliance, Fellow thse tps se the provided commands to oubleshoot vets where abot appears fo have connectives da to an implementa scuny oly «+ Fist, dtemine wheter the intercon which the conection saving athe security ppince uses set of input aces rls (an input ACL in th CLD, You cn ery hs condition by wing the show rnning-config aces group coranand ot by inspecting he Cisco ASDM Acces Rules table. it foes, ei katte ACL pei this connection by using the CL or Cisco ASDM Packet Troe, by txamining the Cisco ASA security appliance log for ened or permite connections or by sng the packet apr icity. Io sss are revealed you can proced to Step 3, Wt rset doe not fermi the problematic conetion crete a permitrue that allows it +f nput interac doesnot ws of int access ules (an input ACL), yu shoud deterine wheter the conetion i rated oan ouput nefce witha lower security eel Titi the Connection sou beaviomataly petted on he npt interface and you can proceed to Step. However, remember thai yu have configured any ACEin he lobel ACL, he impli permit rule (perniting al traf fom high scariy-leel trict lower Scusiy-levelnefices) onthe {nerfsce ACL iremave, Ifthe connections routed oa ott interface wih a higher seca ‘evel, you mst erate anintsface aces ruleset (ACL) to permit such contetn, ‘+ Finally, determine whether the teri to which he ennnetons ote inside the isco ASA wes 2 set of output acess rls (an cupat ACL). You an verify this condition by using the show running ‘anf acces group commindor by inpting the Cico ASDM Access Roles able. Ii dos, verify that the ACL pemits hs conesion by Using the methods that ae described in Step 1. the rset, oes ot pemit be probleme comesion, reat a permit ul that llows it. Troubleshoot ACLs (Cont.) Logging Messoges Paid conecon by lec cress os ‘Denied conection ty inrtace soos nies tho sat table secs" ERI, “Tis gue shows typical syslog messages ta can ait youn the woubleshooting proces. The st ‘np shows te cxpected messages th you see whea a conestion i pemited through the Cisco ASA sect appliance you see these messages and il hae connect ise, you sould veri roting Jnfomaton in your network, epi fcomectin sos are nsctivated with synchroizatonGincou. far TEP conection. “Fae wig Sas apt ny Eos Sa Geatyaon ee_ o-oo oo ee a ee ee the security appliance denies ew connection because of an aces rule, you se the 16023 syslog messages, You can se ihe hexadecimal denier in 106023 syslog mesg heighten te Figur) and he show access commando find an appropriate aces it ene. You may also se he 106015 smssag. This message inal th noni pake as ved oe Cisco ASA but it cold nate ‘matched io any connection objet in the cnnetinn tebe Thos pares are unl econnaiance ‘Mors r delayed lpia pockets were recived alr egitim essons had ava closed te ‘rnsportcomectons Troubleshoot ACLs (Cont) Correite Cisco ASOM Log Messages to Access Rules + Moitoing> Lagging > Real-Time Log Viewer> View ‘You abo use the Cisco ASDM Real-Time Log Viewer to examine the loging messages. You ca ih ‘lick message with D 106023 and sl the Show Acts Ral option fom he menu lo corte the ogging message withthe ACL ety that denied the packet ‘You can so select te Create Reverse Acces Role option fom the mer, Which auiomatcly rests an ‘ACL leat wil alow previously died packet ad lets you reviw hemlet Hs aplition TR Gee ae aTroubleshoot ACLs (Cont.) Correlate Access Rule to Log Messages - Real-Time Log Viewer ‘When you selet the Show Access Rae option fom te men inthe Cis ASDM Real Time Log Viewer, the ACL ety ta denied the pocket wil be highfghd in the Access Rules able. Then, you can modify the ACL tallow the packets inthe fate Troubleshoot ACLs (Cont.) Using the Cisco ASDM Packet Tracer + Tools> Packet Tracer ‘The Packet Trace tool, discussed nan exer medul of his course allows you to auc pinpoint some posble reson for connectives hough te Ceo ASA security appliance. You can tart the Packet Trace en the Tools menu, Wha the window appar, ene the comneton parameters: th np nerfs, th sauce al destination I adresses, and the source and destination prs. Clik Start to lagrse heise. ‘TAP Tapa Cs Ep Nova Sean Sauios SatayInte example, th pocket rar has deere thatthe comnecin is Mock by a canigured acess ule. This isshown th Result seton of the Packet Tracer ouput. You can also expand tie ACCESS-LIST hase ofthe ce to eramine the ACL that denied the was matched by the packet. Yo can also dpa the ‘ACL mein tbe Cisco ASDM Access Rules tabby clicking the Shaw rule the Acres Restle orsion. Troubleshoot ACLs (Cont.) Using the CLI Packet Tracer aerated ‘Youcar ako we the packet ricer ol fram the CL, supplying iti he sare infront stat the ‘racing action. The figure shows an event Packet Tracer session as was pefomed ugh Cisco AASOM in the previo figure. Troubleshoot ACLs (Cont.) Using the CLI Capture ind“Youcan also wee te packet ape fciity on the Cisco ASA toed pakes iat were denied by configured aces mls. Use the eapture conan and only cape pakes tha ae dropped by configured ‘ccs ules wing fe ype asp-drop acral. Te figure shows an example of sch cape. {FT agi Be Naa acy Sane SSCSSummary ‘This opi summarizes the hey ois tha were disused in his esa, Summary seo ASA secuyapponce i urdamerialy an aplcaon ae, Stell packet Misig deve, Inefce ACLS conto hich setsions can ener ASA connection lables. You can use global ACL for easier management of accss ils fora rm many ete, ‘The Cisco ASOM Access Rules able a consoled view of al lerfoce acces es thal re confgued and appl onthe ect ‘appence inieaes. ‘Mer you dete alba ACL poy, lhe deautinerees impli ‘acess poles are emoved, adhe global poly sed for al gut walle Network objet grups allows grouping of hosts and networks thal regu the same ACL contguain, ‘Serie choc groups alows grouping of saves thal are used in ACL. ‘cntgraton,Scam “Tae eng Som Eat ay SoLesson 3 Deploying Advanced Cisco ASA Access Policies Overview Advanced Cisco Adapive Security Appliance access polices allow scuity anit to spply ferent plies to diferent types of wal. Fr example, tai cong fom fhe lotr cel sald foray sign of nalcousoftware. On eae ing oe Over IP afi cou be prorized on all Cisco ASA interfaces to prevent delys and packet loses. The isco Madar Policy Famework sa Configuration tos which enables security adminsraoso assign fee network police to diffrent ‘tfc lowsin fib and ranula ner. The MPF enhances ASA intrace Access Cont Liss by slowing the adiinsrator to spcity 2 multe of advaced aces contol on network ows Independently ofnerfae ACLs. ‘This son fist provides an overview of advanced ase controls and polices. Then he ssn describes ‘he Cisco MPF, which used to plement advanced polis. Then the lesson discs haw o ane OS1 Layer 3-4 sat inspecton and inspection f dynamic proteols The ssn ences wth piston inspection of HTTP and FTP protocols. ‘Upon completing this son, you wil be abe a + Provide an overview of advanced acess plies + Describe Cisco MPF on the Cisco ASA + Describe Cisco MPF OSI Layer3-4 pies + Describe defint OSI ayer 3-4 satel tacking + Tune OSI Layer 3-4 sat racking + Vey OS! Layer 3-4 sata tacking + Describe appr fr dye protocols 1+ Configure support er dynamic proto‘Verify spp for dam protocols Dexrbe Ceo MPF api yr OSI yer 57 pies Deseribe Cio ASA HTT nectar + Contgue HTT inpecion Very HTTP inspection Desai Cito ASA FTP ngetor ln plo spect of oer tess “Fae eng Sa Eat Sma aI = Advanced Cisco ASA Access Policies Overview This topic provides a overview advanced access polices. | Advanced Cisco ASA Access Policies Overview Dire ate ows may eq nave lest cont alc beyond Ae "Cis MPF proves rer and xilly when you ilament | advanced toes pose: Defloration ta ae raced aces pos Assocs etc ples win al ows rales nett pls on pec orc ray Dire fie Nows traversing the Cisco ASA may require ilfeent network polis Some cramples of advanced policies ae sted below: ‘+ You oul rediretirafi coming fom be Internet othe CiseoIniusion Prevenon System edule ‘ool toscan the tai for malicious taf + You coud prioritize VoIP tafe between the branch office and hedgers lo reven delays and pocket oss for woe rai + You could inspet HTTP tafe coming tthe company web verso allow ony pie HTTP eos, + Youu inspect outgoing HTTP and FTP tf prevent data oss. ‘The Cisco MPF configuration to and philosophy enable smitty to describe ntwork llc nd ‘rly advanced and ranula services to that we Citco MPF sofware provide oso the flowing + Defining tai ows by describing thi network propriss + Associ network policies ations) with fi lows * Enabling stwork policies ona peice or globally om ll intrfaces of a cnfrcing device (Cisco ASA) ‘CLs are he fndamentl acess contol metodo the Cito ASA, andthe Cisco MPF tol doesnot “place them. Isea, Cisco MPF provides an indepenent conigrtion too to provide sditional scat polices to speciale fous Ba cease Re eeCisco MPF Overview “This toi deserts Citco Md Pley Framework onthe Cisco Adaptive Secu Appin. Cisco MPF Overview (Cisco MPF consists of the following components: © lass maps: (05 Layers mp: ents Layer ant Layer aon avn a aay anata poly (st Layer 5-7 ce map ees Laer ough Lye afte ‘eno weno apy an apteaton spell pay + Paey maps: © OSI Layers 3-4 pote map: Dens pot for Layer and Layer 4 tis (05 Layers $1 pole ap: Denes pt or Layer eagh Layer?” ‘ote + Sancn ply Actes @ poly map onan ineace or aba on ll ireoces a “The Caco MPF const ofthe folowing main compen ‘+ Clas maps: Acts mp it abasic Cisco MPF objet hats used oie and group a et of particular tai flows nto afc els. Ataf low is genealy an OSI Layer 4 ewok sion Fete endpoints tats wed by pei pplication, Fo example, avoiecallean be defined as ‘neta flow For this low, las map can identify 2 traffic lass as tof voice cals between ‘specilic hosts or networks arose he Cisco ASA security appine. You can crete lass maps fr OS Eyes 3 an that clas trafic based only on the OSI Layer’ and Layer information that is found ina paket This information wood ieclude sch higs a adresses, DSCP values, or prs, You an also create lass maps for OS! Layers tough 7, which use aplication layer content odetfy ‘ows and ls tem as pat of he same ls, + Policy map; You wea plcy map to associ one or more scons witha ls of tie for os oF ‘more clases, For example al vie tafe coming fo heguarrs othe branch ofc can be ‘asf in tai casa associated wih low Intency queuing. To associ nation with 8 ‘pectic east, you would creates policy map, specify trafic class inthe policy map, and Assit an action wih thie speifi cast of rfc. You ca create policy maps for OSI Layers 3 snd 4h which dfive atns that raped to traffic clases fortes ayers. You can also cent policy ‘naps for OS Layers thigh 7, which define ction hat are spied to afc clases for hese liyers + Service poiy: You we asevice policy to stv policies by peiying where policy maps should ‘las od ply ations to tie. A service poly acivaes policy map er ona specifi Ciszo ‘ASA security applic inerfce or gablly onal appliance interes, For example you can spy the voice pony qocuig poly fo the out nrc, where it wil idea pockets ofthe voce trafic clas an ply the appropriate egress queuing ation. Tae opeg Casa Soya rane he i i I I I U I I I I I I i IOSI Layer 3-4 Policies Overview ‘This pie describes Cisco Maula Poi Framework OSI layer pois OSI Layer 3-4 Policies Overview * You use Ost Layer and Layer plist poly action to tai that 'sidnies st OS! Layer 3 and Layer Poles are compsd othe along: (Gas aps oes vate bate on OS! Lay a Layer = Poley mip: Species acon ap ta ate inclass ne ‘Seve pte: ones oly eps anita ely ost vce Use OS Lays 3 and pices to apply poe contol ori at OSI Layers 3 and 4. Thee ae thee ‘component ofthe OSI Layers 3 and network policies *+ Chass maps for Layers 3 and 4 Tes component identify traf based on he packs infomation for these layers. ‘+ eliy maps fr Layers3 and 4: These coapencals specify what cons to apply oa cises hat adie by class maps, *+ Service pty This comporen apie policy map to an teri or eatally tol interces a PaarOS! Layer 3-4 Policies Overview (Cont.) | OSI Layer 3-4 Class Maps Toldentty trafic: + Spey a namefor a ls + Deine machig atu eet Any oat map Tony VoP ve, Pow mech DSCP EF ‘Tee m UoP pote P peas AIP pat nunbors VEN urea gop Dettingen Tate ‘Cas maps for OSI Layers 22nd 4 deny trafic based on protocols, ports, I adresses and other tbe fortes yes. Configringa class map i two-step process: + Yours sign ame oth ls map that icatifes a clas of tf = Yourustspeify machin tributes forthe class of tfc. [At you configu name fora clas of taf, you must identity te chacteristics ofthe tafe fow, To identify trafic based on ifemation for Layers 3 and, you can selet the fllowing matching crite: ‘+ Aces list You can crete an ACL an al alc matching tis ACL wil belong to the specified clas ioe You dorotapply Wis Gain ACL ian eae. ok wodo ety rte Satrgng acer. rai al is ACL pons ngs ote Fae cas ar ate athe Dclidees ces atblog bth wali ce Any: Any packet il longo his las + IPDSCP: Defined bythe IEE, his cretion isa DSCP vale in the IP header. clases that ar tse onthe DSCP vals tht are defined within he Ta by +P ow Tis erieron presen altri tha going on unique TP destination ads. The policy setonis applied each ow instead oft the en class of tai + TCP and UDP ports: This sition represents trafic that is sing the specified TCP or UDP Frevall> Serie Poly Rules Inthe st sk of is configuration sequence, you will eonfigre tail handing of CMP across the sett appnce To configs al ICMP handling for al walfc acres th ppincs, you can medify ‘the deflection afi clas which by dtalt already matches ICMP requests, but is associated ‘eft pol does not inspect i. You could also erent «more specifi clas that matches ICMP packets intend fede. Perform he lowing ep to eabe stat nspestin of ICMP taf 1. Inte Cio ASDM, avast Configuration > Firevall> Service Policy Role, ‘2. Baittheservie poi rl that pps othe espostin dean fics 4. Inthe Role Actions b, nits Protocol Inspection sub, check te ICMP inspection action 4, Click OK. 5. Click Apply to sply you conga, “Tai erage plane Seay Sauime——SCSCSCS~S~S~S~S*«eee es eo eet) Tune OSI Layer 3-4 Siateful Tracking (Cont) “ask 2: Tune Inspection Tiners and OCD + Contguaton> Fr» Sic Paley Rules Ine second sk, you wil ne te defauk TCP timers to configura longer ie newt, and enable DCD: {ora cs offic. Using MPF configuration, you wil erate new eas of trafic hat mates al let sessions fo the serve, nd tune the TCP tno eting forties Perform the flowing ASDM sep: |. From isc» ASDM, choose Configuration >Fienall> Service Poly Ros 2. Click te Aad buon tous the Add Service Poy le Wizard (nt shown the exam 3. Choose global or peiterace policy ele (nt shown in the example 4. Choose oreatea new caso tai, Assign thisclas offic a nique name and chs to define this cls of aficusing an ACL. 5. Inthe Trafic Match step ofthe wizard specify the source dss (1.0.0.8 in this exemple) and ‘he destin ade tbe os computer, 10.10.19 inthis example) of ral, and th tepllat 6 Inthe RuleAcions stp ofthe wizard, avigae othe Comneton Setings ib nthe TCP Timeout sation, pct the as 000 hour) and erable he Dead connection destin cheebox to «enable DCD fortis class, You can optionally also check the Send reset fo TCP endpeins before timeout onion where the ASA will snd connctio else (TCP rest) segmenttoendpots bei ile ibe anseston ram is onneton able 7, Click Finish to cos the Ad Service Poiey Rule Wiad - Rule Actions window, and eli Apply to spply the cniguation, a aioe amTune OSI Layer 3-4 Stateful Tracking (Cont.) “Task 3: Configure TTL Decrementing + Configuration Firewall> Service Policy Rules Inthe third as ofthis configuration sequence, you wil une the deal TTL decrementng pole ofthe |ASA to decrement the TTL fr al packets arose ASA. Using MPF configuration you willbe ‘TTL ecrementing fora "ach an” ls ofthe lobo poly. Perfor the following ASDM steps: 1. From Ciseo ASDM, choose Configuration > Fiewall> Service Paiy Rees 2 Clicktbe Add buton (ose the Ad Servic Policy Rae Wiad oa shown inthe example). 3 Chooses global policy ule 4 Coote terest new clas of trafic. Assign thiscls of taf a nique name, and choose Any tral ve mate itera or this ass. 5. Inthe Rue Actions sep ofthe wiz, navigate tthe Connection Settings tab nthe Time to Live secon, check the Deerement met Hv fra comnetion option decrement TT. forall packets of thiclas, 6, Clk Finish 1. Chk Apply to apply your cofguratin. “Ta erg Ges Ep Na way Sos Sai eS re-—_— = joe ee eee Tune OSI Layer 3-4 Stateful Tracking (Cont.) CL Configuration | ee Totune OSI Layer 3-4 stfu tacking onthe Cisco ASA device using command line nrc, se the oxnmands tha ar deserbed in th able, ‘cert gba octet extend por ep f00.0258000host 03019 equine, ‘asemap ALLIPTRAFR ‘nach any ‘inte map TEINETTO-SERVER Itch neat bal pe Paeymap global poy ‘es specon deta Inspection ‘ass TELNETTOSERVER ‘at connection tnwout embryo 0:30 hat ‘nso 000 lle 000 rr ded 0.18005 ‘lass ALLIPTRAFIG Set conan decrement Crete on ACL, [reeset cer ond macs oP vais Cras ali as and mses aces ak ese sng gal pele strain ode Ens pate, deta as Gigvaion nae ant eae NP pecon Eee TENE TO SERVER ca crs me se chrga eon ier a ena Ee ALPSTRAFIG das corigiratin made a ree TL serene ‘Sam Caeser oaTune OSI Layer 3-4 Stateful Tracking (Cont.) Censider the following implementation guidaines: + Mis geneay recommended o enable lle CMP hancing ‘Oni tun connection tas when requtedby speci applations for ‘2 mnial sel of equred host; use DCO wi long-lved comnocons| {ovo resource exhason + Use TL decremsnting ony ifyou nad to se the Cisco ASA ‘racerule outputs, or manages purposes “When implementing he tuning of Cito ASA OSI Layer 34 inspeton, conser the following implementation uli: + Geocnlly, tis reommesd to esble stateful ICMP handing 0 the ASA, 8b lertive sto slatlessl eritall CMP ec replies to possible PING sures. Os the other han, enabling tate ICM inspection co impoce edo! lool onthe ASA ifthae ae high rate of eps ce ‘malicious ICMP png taf in your network “+ Assuggestd in gener deployment uieines, make mininal required changes tothe stfu engine. “This apps to sing of coneciontners a TTL decreeating. Whe tung TCP idl times, iis senerly commended to also enable DCD. {Tap lena Ee ovo Say Saasoo eo oe ee eee ee Verify OSI Layer 3-4 Stateful Tracking ‘This opie dsrteshow overly OS! Layer 3 satel racking, Verify OS! Layer 3-4 Stateful Tracking ‘+ arsless sass wil ge an inihtinio enables inspections and sine, ES Ten eng, fat ae hemermcane sn tARISEIRTNT [aoa Verity OSI Layer 3~4 Stateful Tracking (Cont.) +_Youcan examine pur-dass conection seings ad sls aS “oily some loa statsts and gina gncal overview of te epration of proiool inpeton and Layer 3-4 staf inspection, se the show serves pally command, This command shows wheter protocol, sucha ICMP is inspected Use the show service policy set connection command to display specif statis for changed sesion timers or hanged TTL behaviour. Tanteasaeane eee cs Sao‘Support for Dynamic Protocols “Ths dss sport for dani poten (eestor ‘Support for Dynamic Protocols Dynamic protocls ae those that negotiate adeitona sessions onnogotatd transportayer pos: “+The Cisco ASA wily defi snoop on many dynamic protec» somal peri these sesions ImACts, you ely ned to pamitthe itl seein Dynamic prov are those applic protocols th sblih coool session ind negotiate aditonal network seston using dymmially determined ad aepoitedpets between os. The Cisco ASA ‘sappotmany cami protocols by snooping o the port negotiation and automatelly permiting tional sessions of supped protcos. Configston ise, you donot have o perform ay configuration tasks tenable is behavo, ithe dynamic potocl you ae sing inspec bythe Cisco ASA by defi, nsid is ean inpetion policy clas, Inde Ciseo ASA interface ACLS, you aly ned to permit nia conto session and all, ubeequeatneptiatd sessions wil be permed automatically 1 I I I i I I I 1 i I I I I q I J {Tar pens es pov way Ss CaS ne‘Support for Dynamic Protocols (Cont.) The cio ASA sie a sett hin pat rm apart ijn an i Nol por ry deta inepected + Ain vn triton pc E r | ‘The Cisco ASA default inpeston cls includes protocols (cries) tha fen equi peil handing. Special handing may be required besase of ‘+ Dye port negotiation fr example, for FTP, CTIQBE, GTP 23, MGCP, UNIX RPC, RSHL RISE, SIP, SKINNY, SOL*net, TFTP, and XDCMP), Speci NAT requirements, here the CicoASA must inspect and modiy session oars the problem of IPadreses inside aplication ayer payloads (FTP, CTIQBE, GTP, H.323, MGCP. RISP, SI, SKINNY, SQL*ne). + Arplication-ye inspection, where the isco ASA may pefom some deat ppiation yer inspeton fora service (ONS, ESMTP), ‘in Wot at not seas inte deta ipestn cl aby dal pelea You an aan te ‘eas ete niece by earning wap stone sed ob eat apeton case ‘ChcoASOMor ecu eee Sani Giese nea ata‘Support for Dynamic Protocols (Cont.) Detault Inspectors in the Defauit inspection Cass Support for Dynamic Protocols (Cont.) Defaut inspectors in the Default Inspection Css (Cont) Te ATs aE) or ‘ne nS es = -— —-_ “This tbl lists the dynam protocol inspectors enabled by deft fr tac mating the deft ‘pectin cass Deft inspectors which only provide NAT or applistion-ayespcton are omited from this table “Ta eng Cs Ep na Say Sa ‘Cait CesSeemSupport for Dynamic Protocols (Cont.) Inactive Inspectors inthe Default Inspection Class Moc ‘Alows nga RTP fous so om on ‘This blest the dynam protocol inpetrs abled by dtl fr fic aehing the defauk inspcion las. Defilinspectrs which only provide NAT or pplication layer npn ae omit from this tbls wel. You may want o enable these inspectors by deft you firewall system should suppor the CTIQRE, DCERPC, MMP, and MGCP dynamic pone, 7™————— Tata Some Taetaae oF eo een cm eee et) es)‘Configure Support for Dynamic Protocols “Thistpie ders how a config spa fe dynamic pros Configure Support for Dynamic Protocols ‘To configure support for dynamic protocols, complete these tasks: 1. Configure supper or non-delt ynamicaplicaions 2. Configure supper for dynaic applications on nonslandard prs Enable nondetaut |) [Enable suppor [CTIQBE and foc FTP on TOP DOERPCinspectors | [pert 2121 ‘When configuring isto ASA soport for dynamic protocol, you wil perform oe or more of fe folowing confguation sts: 1, You wll entle Cis ASA suport fr none namie applications 2. You wil engure the Cisco ASA to suppet dynamic applications on no-defsl pot. “Tis figure shows the configuration scenario used ia. upcoming configuration tasks. You wil cctigue the Cisco ASA withthe Following changes tit defi namic ispectionpoiy + You ileal inspection fr the no defilt TIQBE and DCEIRPC protocols inside the default insgecion cls. + You wll congue inspection oppor fr the FTP protocol running ove the nx-defal sever port of 212, nado othe fal pr of 21, ‘The configuration tk sume tat th Cisco ASA is alkeady configured with ll P outing, anOSt Layer 3-4 secant ply periting CTIQBE, DCERPC, and FTP sessions, using a deft inspect ol. “Fae pag Ces Ep ee Say Soe Caan re ee ee —— = =< om om om om om os—_ a oe oo os om om Configure Support for Dynamic Protocols (Cont) ‘Task 1: Configure Support for Non-deault Dynamic. Applications * Configuration > Frewall> Serves Policy Rees “Tonle support fornon-deink dynamic protocol inspection ide the def inspection policy, you ‘only nso enable aoa inpeiors forte Cisco ASA inspsion defo clas, Perform the following tps oeable satel nspsion of OMPUrfc |. Inthe Cisco ASDM, nig to Contguatin > Freall> Service Policy Rls 2 ait te service policy rl tha pis othe inpeton_detalt i cass, 3 Inthe Tale Clsifcation tb, vei hat you are etn hr tht pics the Default Inspection Taf 4 ‘Sich othe Rte Acton th, and aditonally check the CTIQBE and DCERPC checkhoxes to able hs inspectors wih cir del stings. 5. ClckOK. 6. Click Apply o apply your contiguaion.Configure Support for Dynamic Protocols (Cont) oo ‘Configure support for dynamic applications on non- standard ports + Configuration > Fiewall> Service Pole Rules iy S pte rotor [Seep | ar Inthe cond tak ofthis configuration sequence, you wil rete a sevice policy rl that wil inspect FTP trafficon a non-fat port The df inspec for FTP fii already enabled by detain the ef inspection ls ‘Perfo thefllowing Cisco ASDM ses: 1. Flom Cisco ASDM, choose Coiguration>Firewall> Service Peli Res. 2 Clk the Ada bts to use the Add Service Policy Rule Wizard (ot shown in the example) 3, Choose glbal plier at shown in he igure). 4 Choose Create a new clas of trai, Assign isla of tafica unique nae, nd nose TCP or ‘UDP destination port 5. Inthe Tra i Mateh step of te wiz, specify TCP asthe protocol, snd he service ort of 2121 as (te ational FTP service po. 6 ibe Rae Actons tp ofthe wird avg othe Protoe! Inspection tab and check the FP roc nspector checkbox tenable the inspector using is eat settings. 7. Clk Finkh to close the Ad Service Poiey Rule Wizard Rule Actions window, and dick Apply soply the configuration, the math riers for tics, ‘Ti sti Si ip twal oe SasI I i i I I es een se ee ‘CL Configuration Configure Support for Dynamic Protocols (Cont) Tocostgure suport for dynamic protocols onthe Cisco ASA device sng commandline interfic, wse the ounmands tha ar described in th abe, hewnayHONSTAROARDFTP ule porte 2121 ‘aleyap bal paley ‘das spect, Inepet ego Inspect ape “lass NON STANOARD FIP Inepecttp a nse aR St ner TE Err he ng Goal pole eotcraon mode ra recon dete dae cniguatin mois nd nabs CTOBE an DCERPC nepecson as eer case congo wd ard enables FTP spacton SamoaConfigure Support for Dynamic Protocols (Gants Seppe for Oy Consider the following implementation guidelines: + Hydrate a para manic pot le gery Eater to bly sees inspecon function nde he delat ty see ont ad por ra emis pal weed isbl ts inepection on the Cc ASA in der minimize CicoASA's unneeded fnctinalty and ‘herr its tack sure. “Fie eis Cs Eten Sey ing SSCVerify Support for Dynamic Protocols ‘Tito dss ho veil supa or dni pol Verify Support for Dynamic Protocols + Parcs sat gan inno eal pcos nd ee oe oe oo “Todisply some global statistics and guna general overview ofthe enable inspectors, use the show servicepolicy command. This command shows whether a dynam protocol, sich as FTP, is inpeted. Ban Geese eeApplication Layer (OSI Layer 5-7) Policies ‘Overview “Thistopie dss Cito Mol Poy ramewaksplicion ae (OSK ye 7 pis Application Layer (OSI Layer 5-7) Policies Overview ‘Agplicaton layer access contro can perform these functions + rove detensodn depth by ering alco expoad cent and server applets + Proven mals content rom being dlvred io enn + Prevent covet uneting Frewal aplication nspestions aed controls int poco on OSI Layers St 7 and cn fe 02 ‘lication yer protec featues od payout rtet exposed sever or let applications. Apolicationinspections ond contrls generally provide the following functions: ‘+ Itcan event mscious poco evel safc (malformed protocol unis, accesso wuneable protocol fines, nd aces fo waned aplictons oo te sere) fom being delivers othe tag thus protecting the arget before afc even reaches it Fc example, firewall tht inspects and esa the tpplcion lye can pent only required HTTP reqess and allow access nl to aspeific URL palier( tis, specifi application) ona web serve. + Itean event malic content fom beng delivered to lets. Fr example, firewall hat inspects ‘an irs tthe ppiation lye can peri only specific ypes of eal or web content HTML, ext, Mirost Ofc documento be delivered to an enon. + Itean esti or prevent covert unneling change, where stacker or legitimate users tunnel oe protca within ober. Fr example, the firewall en block attempts to tunel ther protocols in tht ‘aw fom hough port 80 HTTP) or ter protocols that are encapsulated within the HTTP ls that ‘ese leita HTT ‘Very impo, frewal application lye inpeton snd contol can ac sn independent strong layer of defente build deene-ndephsltion. Networked applition layer inspections and contol. are uly independent rom th defenses ofthe endpoint and work well even ifthe endpoints vlneable or risconigaed “Fie egg Ohe Showa ary Sas ———SSSCSCSCSC« = oe oo I i = me om — = = om=o oe ‘You can wse four main approaches to mplemen application ayer contas onan AIC-apble eval sich 1s the Css ASA. Tes pproacs aoe combined to acievethe dese filtering goals ‘+ Protocol minimization: With this appoae, the AIC-capebleFrewll allows only minimal equied Set of pial estes tough ote endpoin. The purpose f this ilerng ist minimize te atack surface fhe ndpoiat nrduce the klbood hat a parla vn isexposed tothe ‘rst etwor. This approach an prevent bts knowin and unknown ies, becuse i wil bck say rfl tha isnt prof its minimal peicaton, + Payload minimization: Wi hin approve, the AIC-Frewall>Objets > hepect Maps > HTTP Jn he first task ofthis configuration sequence, you create an HTTP inspection policy map onthe Cisco ASA secu apples. An HTTP inspecion policy maps configuration conse th encapules & Selo inspections that wl be applied to a specific et of Rows (that, 3 Cisco MPP fie lis) andi, reusable in multiple afc clses. Follow thes eps to reat an HTTP inspection policy map sing Cisco ASDM: 1. Inthe Cisco ASDM, navigate to Configuration > Firevll> Objects > Inspect Maps (Choose HTTP ra the inset Maps men (oo shows inthe igre), The HTTP window apes. (ck Ada to adda new HTTP inspection pobey map. The Add HTTP lepect Map window appears ‘The Add HTTP Inspec Map window allows you tse pedtned sccuity eve to sia this HTTP inspection policy mop or swich othe Det vew configure individual inspection To ‘cotiure the policy in this configuration sequence, you wl sete Details view to config the Polizy fam inception, Clik th Deals bute o sich othe Details mode. ibaa Dota—— Configure HTTP Inspection (Cont.) ‘Task 2; Optionally, Configure HTTP Protocol Ninimizalior + Configuration> Frewall> Objects > Inspect Maps > HTTP Tak, you optionally conigre HTTP protocol mininization by allowing ony specif ets ofthe HITT? poco be passed tothe protected web server In the example, you wil allow only te GET equst method the server. You cold congue atonal lst minimize ote aspes of the HTTP roo Follow thse tp ta reat an HTP protocol minimization inspection rl in he TTP inspection policy ‘map sing Cisco ASDM: 1 Inthe Inspections tab of th Defi view ofthe HTTP ispeton policy map, click Add to adda new inspection rl, The Add HTTP Tasos window appears 2 Clk the Ad bate the Math titra scto, clk the ingle Match optono specify single ‘endtion (nly oe sh slterent) hat wll atch alii this inspection. You could also choos the Maple Matcher option to math he waicusing predefined HTTP (Layer 5107) lass map. Inthe HTTP cles mp, you can speify multiple match atemen.n ous the Add Service Policy Rie Wizard (at shown in the example 3. ne Match Criteria section, chose Ne Match she match ype if you wart to drop al aie exspt ‘raft matches specifi citi (hat is, a minimization poly). 4 From the Citron drop-down fi chore the HTTP protocol container in which you wat to analyze tal or specific ales. nthe example the Request Method container is cise to iter tafe based cn he HTTP request method. 5. Inthe Valu ar, specify the vale ofthe ction container tat you expt fr his ule. Beem you ‘vot sr otis nel eget tht do ot a he GET method, ccs Get frm the Math ‘hop-down ist. You could also specify a custom regular expression (ora set of regular expressions ina ‘ela expression clas) to deserbe the expced HTTP method, However, the value youare ‘apecting is available na redefined li itis strongly recommended tat yo use te predefined vale ‘atead of defining regular expressions. 6. Inte Action section define the aetons that the Cisco ASA security apace shoul take when itis uccessfulymaching trie agins thse. nth example, the Drop Connection action is chosen tnd the loging of match evens is enabled by enabling the Log option. {Tit ping ae Ep havo any Sars ——_—a wg) oem oe oom - 7. liek OK when you re fnshed defining the ngpeton ne. You canopy the inspection policy map and save the configuration faced o conte dfing itn inspections Configure HTTP Inspection (Cont) “ask 3: Optionally, Configure HTTP Payload Minimization * Configuration >Frowall> Objects > hspect Maps > HTTP Fonte pa ome {n Task 3, you aptionllyconigre HTT? payload nimiztion by allowing oly specific peyoads tha are inside he HTT protocol toe delivered tothe preted web server. nthe example you wl allow oly a speci URL pfx othe server, You ould configure ational ules to minimize ther psoas ine (he ITT pre, such s request armen or cote ips Follow thse tps io rate an HTTP payload minimization inspection rl in the HTTP inspcion policy map using Cis9 ASDM: 1. tnihelspstins a ofthe Dts vew of te HTTP inspection policy ap cick Ado ad sw inspection ule. The Ad HTT Inspect window pean 2 Inthe Mah Criteria section, chose the Single Match option a pei single condita that wil atch rac in this inspeton ule (ao show in th example. 3, Inthe Match Criteria eto, chose No Math asthe mate ype if you watt o drop alll excep ‘effi tha matches specifi eer at ia mininiaton poly) ‘4 From the Criterion érop-down ist, choose the HTT? pelacol contr in which you wal o analyze trafic for secfe vals. the example, the Request URI cotnris chosen iter tac bsed on ‘he ITTP URI tht uses are cessing on he webserver 5. Inthe Vol subsection, spite values of th eriteron container hat you expec fr this ae. you ‘wan tis leo iger onal equsts that do ot star wth "nyapy” specify 2 xtom el xpresionodesrbe the expected HTTP URL Clic Manage o eter he Cisco ASDM regular expesio configuration ol Te Manage Regular Expressions window appear. ‘6 Inthe Mange Regular Expressions window, click Ad to add new egular expression. The Add Regular Expesson window appears. ‘Dan Gasman ere17. Inthe Ad Regula Expression window asin name (inthe example, “MTY-URI") tthe regular ‘expesion Te the Vabe eld etr the egular expression that eserbes the URI prefix on which you ‘want ofl. In the example, the “fmyapp” pei i dseibed with th 'vyapp” regular expression, “The ae (>) inthe rel expresson indicts te strt ofthe URI and the as) is escaped wit the tect 0) ‘8 Optionally, click he Test ton nd ener yap th est inpu to test tbe regular expression. The ich should succeed 9, Click OK in the Add Regular Expression window. 10, Ensure tht your new ular expression i sled in the Manage Regular Expesions window and clk OK. Your new mguler expression sbald be selected inthe inpecton ue. (The egular expression value from Step S shold sow show "MAY-URI") 11, Inthe Acton ston define the ston thal the Cisco ASA security appnce should take when itis secessilymothig tafe aaia his ule I the example, the Drop Connection action i chosen and logging of mach evens semble by enabling the Log option (nt vsble in the exam. 12, Clk OK when you ze Gisbed denn the nseton re 13, You an apply the ington policy map and save the configuration ieee or continue defining dina inepectons Configure HTTP Inspection (Cont,) Task 4: Opionaly, Confgure HTTP Signatures, + Conignrain > Frewall> Object > pect Map > HTTP {Task 4, you wil optional configure HTTP signatures by dropping known bad patos ta reise FITTP soso there wel ean, om wl Sop all LITT sina ht eatin the “SELECT FROM” stir inside HTTP request arguments. You cou also configure additonal signature lo block other krown tacks. Follow these steps to create an HTTP signature ule inthe HTTP inspection policy map sing Ciso ASDM: 1, nthe fspcton tb f the Detail view ofthe HTTP inspection policy map clk Add toad a new inspection ule. The Add HTTP Inspec window apps. “Tent ns apo easy So Sane omer= om om ee ee me i) me = ee es oe om om 2 Inthe Mate Citra secon chose the Single Math option to specify single coniion tha wil mach alc in his ingptien re, 3. Inthe Match Criteria scion, choose Match asthe mach ype f you wt o drop tai at matches specif rita (iat 2 signature approach) 4 From the Criterion op-down st, choos the HTTP protocol onsen which you want 6 analyze ‘rc for specie vals. Inthe cxampl, the Request Argumens container chosen foil tafe besedon he contents ofthe HTTP arguments ied 5 Inte Vahe rea, specify the vals of the criterion conainer that you expect for his ue. Because you wat is rule to rigger o al equess that consi the tse SOL isto “SELECT FROM" substring, specify custom regular expresso o deste he malicious pattern Click the Manage buston to ene the Cisco ASDM regular expression confguration too. The Manage Regular, Expressions widow appears. 6 Inthe Manage Regular Expressions window, click Add dl ew regular expression The Ad Regular Expression widow appeus, 1. Inthe Add Regular Expression window, ener name (BASIC-SQL-NIECTION in he example) or ‘heregular expression. nthe Vale Fd ene te regular expression tat describes he malicious aera you want o match. nthe example, the mics pater i escibed with he “Ss}.Ee) [LiaCel(7. FR OoMan regular expresion. The regular expression i case nsenstve to event evasion by changing character eaves the“ expression mes one or more haaes Aineloing spaces anda) between he wo words 8. Click OK inthe Add Reg 9. Ensure ht your new regular expression i selected inte Manage Regus Expressions window and lick OK, Your new regia expression shouldbe select inthe nspection le. (The regulr expression value fom Step 5 sould now show *BASICSQL-INJECTION.") 10, Inthe Actions seton, define he eins tht he Cisco ASA scary appliance shuld take wien suceesflly matching lfc psn his al. Inthe exanple,te Dap Comecton action ischosen nd logging of mach ves is enabled by enabling te Lo etin Expression window, 1. Click OK when you ar iss dein th inspecton le 12 You cn apply te inspection policy map and save he eoviguaton if edd or continu defining, adatonal inspections TitGeepame he aire aConfigure HTTP Inspection (Cont.) | Tasks: Optional, Conigue HTTP Protocol Vericaion + Configuration» Firewall» Objects > Inspect aps > HTTP Ip Task’, you configu optional HTP potcol verification fo drop all HTTP sessions that donot onion othe standard protect specifaton Follow these steps esable HTTP protocol erifcaton athe current HTTP inspection policy map 1. Click the Parameters tn the Dts vew ofthe HTTP inspection policy map aad check the Cheek for Protocol Violations check box wo erable HTTP protocol verieto, 2 Inthe Acton ston, define he sein tthe Citeo ASA seurty appliance shoud ake when detecting protocol violins. In the exaple the Drop Connection action schosea and logging of oti eens is enabled by ening te Log ota, 3. Click OK when you are done defining te inspection rl. A. Click Apply tospply the inspection poy map. Click Save to save the configuration ifeeded “Fi pe i ep hwo Say Shsoe oo ee ee) | Configure HTTP Inspection (Cont.) “Task 6: Aoply he HTTP Inspection Policy Map + Confgwaion>Frewall> Objects > pet Maps > HTTP = ap i te Finally, nT 6 ofthis cntigursion sequence, you cafigurea service poy ral tht ppt configured HTTP inspection policy nap toa wails that deserves HTTP tft the web serve. Fellow thee sts to apply the congue HTTP inspection policy map toa new tails, Perfor the following Cisce ASDM configuration ses: 1. Choose Cetiguration > Fireall> Service Policy Res. The Service Policy Rules window appears 2 Choose Add Service Policy Rule om he Ad dropdown mens oad anew servic poy ral to the Cisco ASA seer appliance. The Ad Src Paley Rue window apes (not sown inthe example). 4. Choose anintric-bsed or gob service policy rl, depending on your configuration sexs. nthe example, Ciba isle, Cick Nextt conius (The example doco! show his tp.) 4. Indhe Taf Casifation Cetera windom click the Create a New Trai Css ado baton ad 'ssgn the tfc classname (WEB-SERVER-PROTECTION in th example, Check ths Souree and Destination I Adres (Uses ACL) checkbox unde Trafic Mate Ciera, Click Next 5. Inthe Trafic Match window, ick the Mate radio baton fre Acton, choose ANY athe source ares, loos 10.10.10.1 (the we server Pade the dsinaion adres, and choos ephtp asthe Servee, Click Next 6. Inthe Rule Acton window, cick the Protea Inspection ab. Checkthe HTTP check bx and ick ‘he Cofigare baton to lnnch the Set HTTP Inspost Map window. Choose te conigued HTTP ‘inspec policy map and click OK. Inte exampl, MY-HTTP-POLICY inspection poi that was previously sontgued chose, 7. Click Apply toapply the conigursion Tanith teemConfigure HTTP Inspection (Cont.) {LI Contguration “To configure HTTP inspection onthe Cisco ASA device using command ln itis, us the commands at are deserbed in th be. seat Gobal_mpe_{ net extended pormitop Tege: BASIC SOL JECTION SoA] Tos(raapoMny ex .UR “Agape” ally map pe apae hp MYTTP-POUIY parameters Protcsvtion acon dep- Freval> Objects > Inspect Maps > HTTP Ine preceding configuration scenario, you configured an HTTP inspection policy map by ontguing individual inspection parameters. You canals configure an HTTP inepction policy mp ia implied fashion using the eer levl sie, which allows you slect ow, medium, high (depending onthe inspected protocol evel of pletion ayer poeton wing bul deat polis. ‘With the HTTP inspector, yor can choose betwecs the ow, mum, ad high seer lvels inside the intial Adi HTTP inspe Map window. ‘The ow secur fvel enables only rool vrata and drops al conection tht vee the HTTP Specification, Youcan quickly dd simple URL ierng ue otis policy using the UR Fring baton ich wil ake you oan insfcton ue that ites on HTTP request URIS The flowing is an exanpl ct 1 inspection policy map wit ow ecu polley-map type inspect tetp Lov protocsl-violation action drop-esnnection ‘The medivm secu level extends the Festus ofthe low erty lvl by also lowing oul the GE, ‘HEAD, an POST HTTP mehods. Te following is an example ofan inspection plicy tap wilh ameiun secaity level atch wot Fequett meth post late asan nedin scat ethos ‘The igh security level extends the fests ofthe medium erty lvl by also allowig oa the GET and LEAD HTTP methods and depingcomesions ht conan non-ASCH HTTP header (which s unsua ‘nd suspicious) The fllowing is an example ofa inepecton policy map with ahh ery lev 311 esdn hgh, secarity_methede Baan ep Ree aearoneters ‘iopeconneeeson oe Yorcan drt carga an HTTP pec poly mp ning soo vs oral srg sao Iopecton ens and en evichtae ell ww cues (0, rae, ea) Be Sears bute cate bo Seca Lavi nce Configure HTTP Inspection (Cont.) Consider the folowing implementaton guidetnes: + Anas pcan bea: ag tafe capes a detection pales} wll bre you pean ggasi alens +The Gita ASA eutyaponoe regular xpasion engine does ot ‘ope he endatio ($ mtachracos Peele ju can ery mma on sobatngs od pees. + Cone ingles ng ed resins aston to pate tenet eg. + Using inna, nape) fen more hn Sondre, bt Soa ehveys much more cloning 2 inplnet ‘When you deploy HTTP application layer aces contra policies using he AIC fears ofthe Cisco ASA, cose: the folowing implementation puidlins + Atalyz pplication behavior in etal beer enabling aggressive actions tha wilafet aplication layer fstures Use trafic cgtres an deploy your oles in detetoa mode, using only he logging of unvaned taf, before implementing a preventive poly. +The eplarexpresion eng of the Cisco ASA doesnot suport teenie (S) metacharacter nd theefre doesnt allow you to match specific xsom va that would eacompas an ene ‘conan (or example, a UR) Fr example, you cannot match request ony contin he sting" ‘yep inside thie request URL Instead, you an match requests whose URIs contin substring (for ‘example, te substring app or rquct whose URJs start with a arculr pei, for example"! Inyepp wich would also mach equsts whose URI maybe “myapps,"“imyappliaiog,” and so on) + Inadaion optus policies, which ne coniguredin this tpi, you should als consider Aeplosing policies that impotent Sad resins on aplication ayer contin. Sch policies can alo fetively reveot many overflow attacks. ‘Tt api es apne ey Sire —_—— oo oe‘+A pote that only permits minal quired connectivity is aly the mast efetve, bal othe ‘mos dificalodepoy,s you ned deep knowlege of al required application anscton On, it ray be exsiero deploy signature-based approich ora combinton af two wha moe elaxed minimization approach ‘Paneth oreVerify HTTP Inspection This tpi describes how to verify HTTP inspection Verify HTTP Inspection + Parcs slates wl giv you a gneal impression ofinspectr paar. + Perplocal stasis can provide dead sais about induc Inspecon nes. ‘To pay some global plas staisiss nd guna gene overview ofthe option of aplication layer inspection, use the sho service plcy command. This command shows whether the inspectors actively inspecting fica inated by the poke cout and wheter packs re being dropped bythe inspector. ‘sete show service policy inspet tp commard to display speci statis for HTTP inspector and sere the operation of ndvdeal matching rue, The example shows ta 8 packets ave been ropped ‘nd logged boas the rqusst method i ot GET. “Tia png Cs Ep cy os aE.= oo oe oo oe FTP Inspector Overview ‘Thistopi dsetes Citco ASA FTP inspect FTP Inspector Overview ‘The Cisco ASA FTP inepecor wil “arse some FTP conmands and alow specticvatue-besed and | atlarergesio-based mating inside hse containers + Vetty arene othe FTP poacl, sd log cessed URIS 9- 5 The FTP inspection rowines onthe Cisco ASA. spot he FTP yrotcol nd bak tint conics. lside these conan, administrators can iter specifi rotoca ale or ee regular expressions ¢usiom ptm matching rules. The FTP inspector othe ceuityapane also verifies adbcreace othe FTP protocol an logs alcessed FTP URI ebjet ie) at thehighet eel of loging (buen. Acton, you can ier FTP access by category sing an exenal URL filtering ser in ‘manne as with he HTTP and HTTPS protocols FTP Inspector Overview (Cont) FTP Inspect Maps: Detaled Inspection Parameters | + Sontguraton > Frewal> Objects > mspectMaps > FTP hese es Sry Baieust ike youd withthe HTTP protocol inspector, you ca ndvduly selec and configu al of he parameters that are avaiable ote FTP inspector by switching tothe Detals view ofthe Inspect Map ‘Window. From his view, ou can tan the parameters hat are se bythe Security Level mara or you ean configure ete poly frm inception witout inialy using the Scarity Level options. From the Parsmetrs eb, you anniv enable or dsl the masking ofthe FTP server banner and ‘he:msking othe response tothe FTP SYST command FTP Inspector Overview (Cont.) FTP inspect Maps: Detaled Custom Inspections + Configuration >Frewall> Objects > ape Maps > FTP From the Insecton bof the Details pane of the FTP inspector, you can aid india inpeton rita ‘where you can granule on apes ofthe FTP proto and its payloads. To create an inspection Ful ice AGU Te Add FTP Inipct window appear, slowing you to crea an inspection rule that is ‘ced on the loving erie “+ Thefilesame pater tht is uploaded or downloaded hough the FT session +The filetype that is uploaded or downloaded trough he FTP sesion + Te individ FTP command thal re pased bec helio and he server +The serverbocner that eens by the FTP server + Thenaneof he sr logging onto th FTP server Tia erg Soap Say Soe TaN Gato Fe — = om om oe eeoa ee eo oe see FTP Inspector Overview (Cont.) FTP Inspect Maps: Security Level Macras + Configuration > Fewall> Objects > Inspect Maps > FTP ‘The FIP inspection policy maps fr he sect appliance allow yout choos beeen the low ae high sccaiy level inside he Adit FT Ispet Map window. ‘+The low security leve dos not enbleany atonal actions exept the defbuk protcol vericaton 0d URI (fie) logging. Vou can ikl asp le type Reng lest ths poe Wing he Fe ‘Type Filtering buon, which wil ke youto an inspection rl tht fiers on FT legmss *+ The high secu love extends the features ofthe low scuity eel by masking (hiding th FTP serverhamer (hiding the vendor and version ofthe FTP applica fom cen). tab extends hem toying the server reply tthe FTP SYST command that ouclp an atch finger the operating stem ofthe FTP serve. SiN GeeSmeme eeeEvaluate Application Inspection of Other Protocols ‘This topi eats apt inspesn of ter proeals Evaluate Application Inspection of Other Protocols (other Available Inspectors Evaluate pplication Inspection of Othar Protocols (Cont. ther Available Inspectors (Cont) ee “Fi pg So peat Sa SO Cesar re —_—ee ee ee > ma een ce ee ‘The Cisco ASA. sopprs application yer inpecon fora hanfil of ter splicaton ayer protocols ‘You ca configure thefllawing inspection futon ‘+ ForDNS, the DNS Application Inspection and Cont fexteon the appliance inpetsthe DNS. rotcol and allows administrators to specify aces les tht provide protection of DNS cen and ‘+ Forthe EMT, the ESM mpecton fetes onthe apolane examine ESMTP ssi between tins od servers or among serves, and parse them to verify adberence fo the protocol The fates sallow granular filtering o poet ESMTP endpoints hat use signatures or minimize rues. + Forthe H.325 proc sit, the AIC H.323 nspctor on the pine cn perform 33 poocal ‘erifeation ander on various protaco-evelasets, such seal uation cle ID cle pat 1D, nda type (aio, video). + Forte SIP the AICP inspector an perform SIP protocol verification provide privacy features (och as IP adress and messpe ph masking) and lr on various poocl-levelaspecs, suchas mesg content ype eller 1D, and calle party ID, + Forthe SCCP protocol, te AIC SCCP inspector ean perform SCCP poco veifcationand ier mssages based on their messge ID, + ForIM proacls. the security appliance can ie ther sessions based onthe IM protocol IM sevice (hn file aster, ad soon), M login ame, Flesame of transfered files, ods on, ‘+ Forthe SNMP, he SNMP inspector ca ter SNMP pockets basod onthe SNMP pote version. + Forte DCEIRPC proto, he DCEARPC AIC inspec perf protocol verifaton vith some tuning oon, ‘+ Forte MGCP, the Cisco ASA security apliane ca enforce the cll aget and gateway oes ofall ‘communicating partes based on your sac configuration ofthese roles inside he inspocton pokey mp. + Forthe NetBIOS poocl te AIC inpetrperfoms protocol verification. + Forthe RTSP, the RSP AIC inspector ca ler ide RTSP session based on the equsted URL, ts length, and he RTSP request method —— Tan teespema ne aoa at‘Summary “Tis topic summa th key pons tht were cussed in his son. eee Summary 1 Tio MPF pes ata ety a eat br gag aed eps «ap css np ly a tow baad on Ot er -4 Noon + arty op py ase oe ees nO Layer 3-4 oa pe «Sern pos aha OSI Layer 9-4 poy map on nl atc oy + Yoven esl, date, de Le 3-4 tien Tevet and moan nr oes Summary (Cont ) Cs Layer 5-7 das ape ety fils sped apcaion + OstLaye-7 poy map con! peaonhspecton rate nea in OS Layer 7 dass maps + Teo ASA proven dh ef po ayer reg etes formar procs. + Yexcanispet ppcaton ssn sng fe inion sorte, te eaten spac Fi pe Gap Na a Sai te eam q 1 i I I i I I I i i I I I I I 1 1Lesson 4 Deploying Reputation-Based Cisco ASA Access Policies ‘The Cisco ASA SS00-X Srios Next-Generation Frew we the Btn! Tai Filer Fst det and Prevent ott ety thas desected in anit wal. The Bote rll iter etre detec and evens trai fom bo infected hots other con server using reputaion-bsed mechani This 'esson roves n overview of the Cisco ASA Botnet Trafic File, and expsin hw to configure and verify Cisco ASA Botnet Trafic File. Upon completing tis eson you wil be able + Describethe Cito ASA Botet Trafic Filler 1+ Coniguthe Cisco ASA Bonet TrafiFilter + Veify he Cisco ASA Boot Trt FilerOverview of the Cisco Botnet Traffic Filter “Ths topic ees he Cio ASA Bote Tai File Overview of the Cisco Botnet Traffic Filter 4+ The Bota! Tale Fr reputation based mechanism used to preven afc rom and lo known boneied host +The Bone Tele Filter compares the source and destination dss of ech connec othe cloning ‘yraneCisn SO etaase, peso Co ‘Se alae, wich canbe popula maul “When rfc aches an enn ether dalabasa,asylog message lopped and accan be dopped. ee “The Cisco ASA wes the Cltco ASA Bote Trafic Filter feature to det and prevent botnet activity that is cherved in wast lB. “The Botnet Trafic Fier feature detects sd prevents afc fom botnfected het to theironl servers sing a elation based mechanism, The Bote Traffic Filer feature compare th sure nd desnation IP aeeestes ofeach conection eos the Security appliance tetris into databases: + Adynamic database fom Cisco S10 (Seay Inteligence Operations), which is piste by Cisco and is dyamiallydowaladed othe Cisco ASA at period intervais + Asati database, whic you can matully populate by adding good and bad IP ares and dnsin ames accoeding your lea plicy ‘When ffi transtng tough the aplance matches an entry incite database, the Cisco ASA wit svete asjlog mesage and drop th ofering ali isso configured Sara tampa ee== ene ee) ee Overview of the Cisco Botnet Traffic Filter (Cont.) Dynamic Database + Adami database of known bad haenames is doioaed fom he ‘ico SIO tothe Cisco ASA ani consanityupcated. ‘ONS reps fr bad hostnames are cashed on the appliance in @ DNS reverse-ockup cache, When anew connection inte, ts source and esto ‘reste re compared wih ents In the ONS revere-bokup cache | yo SE |S eee ‘This gue deserts how the Bonet Tae Fite feat west dynamic database Wo det and rp the bone raf. The Bote Tlic Filer fenturerecives periodic ups forte dam database fom he Cio update ever. This database sts thousands of known bd ost or min names an Pass tha are known host bos or batt convo hares ‘The Cisco ASA uss te dynamic dbase a allows: 1, Aninfsted hos wattle conection to ww example bad-hstsme com, which i bst ‘ting a known contol hs fora botnet. The host sues & DNS requ for ww example bade boubamscom. 2 The DNS sere espnds wi DNS reply forthe www example bad stame com bos 3. The Cito ASA inspects the DNS reply. When the domain ame nthe DNS reply matches a mame the dynamic dbase the Botnet Trafic File ads he mame and IP adress ta special DNS reverse lookup cache 44 The insted host starts coanection othe bots contol sit 5, The sees appliance compares the source and destination IP adress ens inthe DNS reverse lookup cack. there isa math, the Cisco ASA sens syslog message informing you of he suspicions botnet activity, and ean have the afi dropped —————— Note ss cases, te ass spied ne nie aabse wad on he dah vane a ese cae, Bae Tra Fite can og dp yeaah Pans wit hang tnpette ONS re, One Note Bete youcan use te Co randy congue a ona nan sor onthe sci Sploncs chal tea acer fe Cato Cae Soatese pte are URL rr, eee ne tram ceeear wei sover UR Ua GheSaem kerr| Overview of the Cisco Botnet Traffic Filter (Cont.) Sate Database + You can manual a bad or good hostames ed P adresses to the sate database + Bad names are ade othe bac good names ae add tthe whitest +The Ctco ASA prions @DNS lookup fr al staicaly added names, and ads mapongs tho ONS host cache || + Wen anew conecion sig s source and destination ‘adresses ao compared wb enbles in he ONS hos cache, Inadion o sing the rami database, you can manually ene domait names or IP adresses into a sai danse. In he tate database, you can ad kown, goo domain axes of Padres to 8 ‘whielt You can also ad known, bat domain names and IP adresses oa ack, A whitelist enry always ates precedence over the tic or dynamic backlit ety. “The Bota Trai Filter uses smbiguos (rls) an unlisted adress, Unlisted adresses ar ot in Frewall>Botnt Trl Fier > Botnet Database Seat sceag ttt a ne “+ Dosnosdd dlabase i stored im ing memory ‘+ Theupdae saver deemines how ten the ASA pl te server for vee “oenable ws ofthe dynam Botnet Tac Filter database ung the Cisco ASDM, complete the flowing steps: 1 Inthe Cisco SDM, Database 2. Enable downloading of dynamic dbase by checking the Enable Botnet Updater Cheat efecktox. The update sever will detemine how fen the ASA pols the ups serer. Typically, his isdone every hour whit she dea gt to Configuration > Freall> Botnet Traffe Fier > Botnet 3 Enables ofthe dyname database by checking the Use Batet data dynamically downloaded from updater server chek. 4. Chek apply ppl yor contigo, Note The obser sted raig monary tay rel ted Flesh wemey yon medio ela thdalabe, yu con oe Purge Bobet Otabaee Stone (netsh hs You anao th hedbare renal resin papoees un the Fee Bone Dataset rom nthe pu Sipe San eeConfigure the Cisco Botnet Traffic Filter (Cont.) Task 2: Optionally, Add Enties tothe Static Database + Configuration > Frewal> Botnet Traffic For > Black and White sts + Ad an en fhe blacks o dopa from orto hat host + Add anon tothe whl to receive asyiogmessare when afc gpg Fm tha host ‘To ad enries othe ste database, complete the allowing steps: 1. he Cisco ASDM, nvini to Configuration > Firewall> Botnet Taffe Fite > Bick a White Lis ick the Aad button in the White List restos domainname ox Passo the whitelist or click the Adal btn ithe Back List ate tod domsn same or Padres tothe blacks. The ‘Add White List Entry ote Ad@ Blac List Entry i played. Inte example th Add Black List Eniryisiplayed. When ralfic matches an entry inthe sai whitest or bec, a jlog message is logged. When tale matches an ety inthe sic acl, rafcis also droped ifthe ASAs configured oso Enfer the domsi nae individual Padres or Padres of network nto the Ente inpat fid. In theexampl, he wurhedcom hst is add th blacklist. (Cc Apply to apply your configuration, Ties Congr te ONS seve fr he ASA a ess slate donan anes IP edees, “Ti ong Ss Ep aay Se SC sm —— — om oe= eee) eee Configure the Cisco Botnet Traffic Filter (Cont.) “Task 3: Enable DNS Snooping Confguration > Frewall> Botnet Trafic Fier > DNS Snooping eermesrscresiomee serie enya renin ‘+ DNS snooping is requited to inercept and cache ONS rps inthe DNS revs lolup cache “This window tsplays al poesia inde DNS iepecson ‘Tocensbe te Botnet Tlic iter DNS snooping component inereepl and cache DNS replies, compete the Flowing sep: 1. inthe Cisco ASDM, navigate t» Configuration > Firewall> Botnet Traffic Fier > DNS Snooping. “This window dpa youll configured polis that ince DNS inspection. 2 Checkthe DNS Souoping Enable chectbo, 3. Click Apply ppl your cofguation Nie Youcan a eale ONS pecan wth Bae Tali Fler ONS snoop ua he Seni Paly Pes me Tia Gee See ee Sata oeConfigure the Cisco Botnet Traffic Filter (Cont.) “Task: Enable the Botnet Trt Fiterto Detect Bat Traffc + Configrtion>Frevall> Bate rae Fier > Tale Stings EE + Mentoring of fe rigger sysag metsoge whan atic oost9 or from bhtlsied or whiesied IP arose nat tnt rl lero al iriatces facing the neat ‘Toemble Botnet Trafic Filer to monitor afi, complet the following steps 1. Inte Cisco ASDM, navignt to Configuration > Fireval> Botnet Trafe Filter > Trafic Seting 2. Inthe Traffic Clasication sen, chck th Traffic Classified check bon fr cach interface on which ‘you wat (enable th Bonet Trafic Filter It isecommended to monitor trac on al interfaces Facing the Interment example, Bott Trafic Fler is enabled onthe outs interac. 1 For cach interface, fom the ACL Used drop-down lit choose eter -ALL TRAFFIC to moitr all, trae (he defer any acces ist configured the ASA to only monitor subset of tic. For example, yu might wan! to monitorall HTTP trafic ooh onsite. To dor et access ls click Manage ACL to bring up the ACL. Manage where you can crest ret acess ists Inthe example al efi is mitre. 44. Clk Apply apply your configuration = “Fi ening Cs Ee eS Saore SSC Bolt Tai Fite » Tre Setings _. $oppe8 ‘To enable te Botnet Trafic Fle ature to drop malicious tai, compete the folowing steps: 1. Inthe Cisco ASDM, nviga lo Contgurtion> Fireall> Botnet Trafic Fier > Trafic Seng 2 Click Add inthe BlaeisedTrafi Aetions ston of the panel 3. From te Interface érop Frwall Dashboard + tom ep Oa po ah et ‘The Bots Tif Filer Hist sll shows repr ofthe top 10 maa sites, ports, and infeed host, ‘This reports srapshot ofthe te and may not math the lp 10 tems sine the atts sare abe collected, Ifyou ighttick an Pade, youcan invoke he whois foo lear more about he bole le ‘+ Top Malware Sites: Shows tp malware sits, ‘+ Top Matvare Ports: Sbows top malware pr, ‘+ Top Infected Hosts: Shows he top ned hot TaisenVerify the Cisco Botnet Traffic Filter (Cont.) Examine Cisco ASDM Bolnet Trafic Fiter Reports + Monitoring > Botnet Taf Fier > Realtime Reports + Generates epors of he top 10 hos In Cisco ASDM, you can so generate epors ofthe tp 10 malware sits, pots, and nf oss hat are noctored by nsvgaing to Monitoring > Botnet Trafic Fite > Real-time Reports. Taciop 10 malate report includes the nmber of eoneions dropped andthe heat evel ad exegry of exch ‘te The roprt is sapsot ofthe dats and may nt mach the top 10 tems sine te satis tated to be collected. you ight lick ase IP adres, you can invoke the whois toot eam more about the maa site, Repos can be sved a8 a POF Sie. Verify the Cisco Botnet Traffic Filter (Cont) ‘ow dynam Mar oprs tp. Garaas ports nt 10 maar raters, {Fd ones Ci Egat ay Sas CE —— eeCe ee ee en a ee) seo 108 Software includes te following commands used wih Bote Traffic iter alison etre ‘+ Use the show dynamie-ter data commando veri the dynamic databace information ofthe Botnet Tali Filter + Usethe show dynamie-terdns-snop command ‘oesaine the DNS reversloskap cache + Us the show dynamietter states commando display the sts shout connections tha are ‘woritred with the Bote Ti Fier, and how mary af those connections matched the whit the acl, and the ey. + Usethe show dynamite ports top malware-es command to pneaterepits ofthe top 10 alae ies, pons. and infected hss that are lassifedby the Bone Trailer, Verify the Cisco Botnet Traffic Filter (Cont.) + Diy a cosas omen + Din ONS seep che ‘The show dymamieter data comand displays the follwing information: +The version ofthe datbase ‘+ Thetime te dtabase was ast downloaded + The numberof enies tht the database conti + Upto 10 sample ens ‘The show dynamicfiterdas-snoop comand iplays ely the summary ofthe DNS reverse-ookup cache, To display actual mappings between domain names nd TP adresses, us the show dynamic er om <= Deploying Identity-Based Cisco ASA Access Policies Users in an enterprise olen eed accesso ane or mot server resources. Typically, firewalls not aware fuser dente and therefore, enso apply security polis based en ie To configure persser, socss ples, you mos conga a user authentication proxy, which requires user interaction awe samelpsssword quer) ‘The [entity Frevall in the Cisco ASA provides granular sees contol based o use identities, Youcan tory + erly mappings ine Mappings castboard + Theadhintatr can dee the mappings. 1+ Thedislay output canbe re, “The dipay recta canbe aust, ‘The C’sco CDA IP to entity page steal he caret P-o-aser mappings and allows the administrator to refesh filer, and dll the mapping. The dtl sresn reshma 10 second, which ante ajusted {020 seconds, 30 secands, 1 minute, 2 utes or tne. The gure shows the GUI sen for mentoring [Possermappings. From th CiseoCDA homepage, lick Mapping a choose IP to deni. there iso User to IP mappings onthe Cisco CDA, onc of te exuse maybe the lock onthe Cisco CDA, and Atv Director servers ot syoehronizd. Inthe fgue, Cisco CDA has two ave IP-o-ser mapping, in wich the itl aserin te SECURE-X drain s mapped tothe 10.10, 10.101P aes, and user Administrators mappcd tote 10.103201P sires. ‘Users can have multiple IP adressesifthey are logged ino mpl machines. So fan ACL re mstches the wer, ten he re will match he user on ether IP adres. From the IP to Ientty page ike iter icon onthe top righthand sie to open the filler options. The TP {oentty display can be ilered xed on IP adres, Message Type, Domain, Mapping Origin Tine ‘Stamp, User Name, and Responds to Probe, When Response o Probe ist tre fr a mapping, Cisco [ASA uses NABIOS probs athe predefined interval and ntfs Cisco CDA ifthis TP mapping i 0 Teogs valid Tiarpmcngiestipieiiayinie —SSSSSCS~*~*« ‘— —= om om ome Integrate Cisco ASA with AD and Cisco CDA This tpi describes how to configure th Ciso Adaptice Scary Appliance tinea with Mics -Aatve Dietary and wih Ciso Context Directory Agent Integrate Cisco ASA with AD and Cisco CDA, To integrate Cisco ASA with AD and Cisco CDA, complete these tasks: 1 Cortigu the AD server onthe ASA, 2 Conigue Cisco COA cn he ASA 8 Cong te useceity ations The figure ists te tree man asst conga the Cisco ASA wintegrae with Micros Active Directary and wth Cisco CDA: 1. Configurethe Active Dietary servers in Cisco ASA, 2 Configure the Cisco CDA device in Ctca ASA asa RADIUS sever 34. Conigr th identity aed firewall options in Cisco ASA. ‘The iguc also shows configuration scant tha wil be wed ine upeosng configuration tasks. You will is configure the Cisco ASA wit the Active Dietory serve, then ou wild the iso CDA tothe ‘ASA. the RADIUS sever, ad finally you wil enable Healy eins on the Cisco ASA. =e Tacs, BaaIntegrate Cisco ASA with AD and Cisco CDA (Cont) “Task 1: Configure the AD Server on the ASA + Configuration» Device Management > UsersIAAA> AAA Server Groups “Toconfgue tht AD server onthe Cisco ASA using Cisco ASDM, you bave toa fir. ‘Complete fling steps to ald a AAA sere group: 1. Inthe Cisco ASDM, avgate to Configuration > Device Management> Users/AAA > AAA Server Groups. 2. Click Addin he AAA Server Groups sect ofthe pane. 3. mer the mame of the AAA server group into the Server Group input fi Te example he Figure ws the name AD, 4, Selet LDAP asthe protocol tht ued communicate with he Active Dinca serve. 5. ClekOK. 6. Click Apply tappy the configuration ‘Fi rong Cn Ea ay Soe osIntegrate Cisco ASA with AD and Cisco CDA (Cont) ‘Task 1: Configure the AD Server on the ASA (Cont) + Configuration > Device Management > User/AAA> AAA Server ‘Groups ‘When you redone with adding the server rou, you have toad server the grou. “Toadda severto he LOAP server group using Ceo ASDN, complete allowing ses. |. Inthe AAA Server Groups pare, make sue thatthe LDAP server groupies, 2-Click Ad inthe Servers inthe Selected Groups section ofthe pone. 3. Choosethe Cisco ASA interface that connects athe Active Directory seve. Inthe example othe Sipe, fi Active Dietary servers connsted tthe inside intra. 4. Ener te Active Directory server FODN or saver IP ads, In the example the Active Dietary server addres 1010320, 5. Optionly, click he Enable LDAP over SSL checkbox enable eneyption between Cisco ASA and the Active Directory server, By dei, if LDAP over SSL nl enable te the deft server port {389 ITLDAP ovr SSL is enable then th deat serve pot is 636 Choose Microsoft ase Server Type 6. Specify the location in te LDAP hierarchy where te Active Dietary server shoud ben searching hn itrecsives an authorization request nthe example, the Base DN sto DC=securex and [DC=Hoa. pei the extent of the sear in the LDAP birch thal ie Active Directory servet should make when it receives an authorization request fram Cisco ASA The fi is to serch one evel breath he bse DN ah example, Seareh All Levels Beneath the Base DN is chosen (a. subtree serch) 17. Enler ts login DN and password fo Cisco ASA, to lg in othe dorsi. In the example, SECURE-X ‘administrator is used asthe lgia DN. 8. Spesfy group base DN where the Active Directory server should begin searching for AD gous. In thecxample group base DN is set to DC=xecarex and Dla 9. CliekOK, 10, Click Apply to apply he contigo, Sai CemSya reIntegrate Cisco ASA with AD and Cisco CDA (Cont) ‘Task 2: Conigue Cisco CDA n he ASA + Coniguation> Device Manageme > User/AAA> AAA Ser ‘Groups ‘When anfiguring isco CDA onthe ASA, yu ave ot coofgue AAA server group and then athe (CDA sever tothe group. ‘Toad AAA server eoup using Cisco ASDM, compete tbe following steps: 1. the Cisco ASDM, navigate to Configurtion> Device Management > Uses/AAA > AAA Server Groaps (Click Addin the AAA Server Groups section of he pane Emer the name ofthe AAA server grou. lnthe example, he ame is CDA. Select RADIUS athe protool hats used to communica with Cisco CDA, Cesk the Enable Alive Directory Agent mode chectbox. specify haa RADIUS server group includes AD ages tht ar ot fall ction RADIUS servers. 6 ckOK. 71. Click Apply to appy the coniguatin. “Todd the CDA server tothe RADIUS server rp using Cisco ASDM, complet the following steps 1, Inve AAA Server Groups pane, make sre that the RADIUS server rap selected 2, Click Addie Sewers in he Selected Groups ston ofthe pane 53. Choose the Cisco ASA interace that connets foe Cisco CDA sere. Inthe example, the Cisco (CDA is connected tothe insite interface. 4 Enter the Cisco CDA FQDN or Padres. Inthe example, the CDA server Padres i 1010230, 5. The Cisco CDA can se citer UDP po 1645 of UDP por 1812 for RADIUS auton messages, 6 The Cisco CDA can use eier UDP prt 1686 or UDP por 1813 for RADIUS accountng messages, 1. mtr the Server Secret Key This isthe shared secret ey betwen the isco ASA andthe Cisco CDA. ‘The key must match the configuration onthe Cisco CDA. “Lh epistn s Epe eoySaos Fa CaS Pe — omse ee ee eee & Click OK, 9 Click Appy to apply the conigurion. | Integrate Cisco ASA with AD and Cisco CDA (Cont) ‘Task 3: Configure the User-kentity Options Configuration > Frewall> dently Options “Toconfgurewserdenty options using Cisco ASDM, complete he allowing ses |. Inthe Cieo ASDM, navigate to Configuration > Firewall> Identity Opt 2. Click Add. Specify domain NETBIOS name and select he previosl configured LDAP AAA server troup. Inthe expe, SECURE-Xisused asthe domain mame and AD AAA server group isle, Click OK, 3. Selet the defn domain, nthe example, SECURE-X is used asthe default domain 4 Select the CDA AAA server group om the Agent Group drop-down mens nthe example, CDA server groups selected. 5 Optionally specify bow requemly Cito ASA exchanges belo packets with Cisco CDA, Cisco ASA ses te ello paket to btn he Cisco ASA wsero-1P mapping stats (syne oF oxy) and ‘he Active Directory domain sts (yp or down rom the Cisco CDA. I Cisco ASA docs nt eceive 8 response fom Cito CDA, then Cisco ASA reseds hello paket fer he pei interval. By iu tell time i sto 30 seconds an ive rere, 6, Optional selet how Cisco ASA will eve he IPso-user mappings fam Ciseo CDA. The two odes re on-demand and il dowalsd, all dounlead specifies that Cisco ASA sends bal equest 'w Cisco CDA to dovnload te enti -aser mapping ble when Cis ASA se, and then ‘ceive inremena Pto-uer mapping infomation when wes login ad oat.On demand mode ‘peste that isco ASA send an on-demand request Cisco CDA toretieve specie IP-o-user mapping information only whe required Forth Cisco ASA 5505 Adspive Security Applic, hich hs limited memory and CPU power aris usually deployed in ited eter environment ‘0 suppor only as many as 1024 ues, the deft mde i on-demand mode. The dealt mode cn all shee Cisco ASA platform i fil dowloed mode, a1. Optional, jute tine for ow often Cisco ASA pols the Active Directory server for Active Dircetorygroupmemberstip information If wer ited tor dled from an Active Dinctory ‘rnp, the Cisco ASA recive the pdated usergroup afer this imer expires. By defo th timers sett every hours. ‘8. Click Apply to apply the cnfgation | Integrate Cisco ASA with AD and Cisco CDA. (Cont.) CLI Contgurton ‘To negate Cisco ASA wi Microsoft Active Director and Cisco CDA for ideity-asd eval wing command lie iaterfoce, use th comands that are described inthe ble seve AD protec dap evo AD ale ost Idupbave 2 DomsecurexDCHoeal leap groupbase-dn OCaoecues,DCHoal Iaupscopesutoe ldtplogiepasowerd ieohdnin lax ogi-an SECURE Xxntator sarvraype microsoft Taser CDA prstocl ads seapentenode ‘uaerver GDA sie) owt 070230 tay Cicokdin ‘saraenty dann SECUREKaarserer AD arid efa-somat SECURE X orient agent onaserer CDA “Ti pana Co Eptebn Say So Crates LDAP AMA sane ontgros DAP ener a LDAP ane pomp ‘res RADIUS AAA sani ad bes AD get mee Gonkgues CDA conarn CDA soe a Sve vray opr, Sai Caeeee eee Verify Cisco ASA Integration with AD and Cisco CDA ‘Thistopi deserts howto verify ico Adaptive Seat Aplin ilgaton wth Micros Active Diatory and with Cis Corte Directory Age. Verify Cisco ASA Integration with AD and Cisco CDA Cisco ASA Integration with AD Configuration > Device Management > Users/AAA> AAA Server Groups| ‘ovens bse cinta eet anne Cc ‘You can use the Tes function inthe Cisco ASDM to vei if the ASA can communicate withthe AD. ‘Youcan we te Test AAA sener group fictional inthe Cisco ASDM to verify the ASA can communicate wih the AD server |, InCisco ASDM, navigate to Configuration > Device Management > Users/AAA> AAA Server Groups 2. Selene LDAP sere group and Sle th AD sre, 3. Click he Test baton. Inthe window that pens, selet the Authentication radi buon and specify \wermame an password of est wer. ee example it Se ashe et eet Clck OK, 4. Observe the esulof he st, Inthe example the est was sucessful You ca sth sam funtion by using the fst aa-server CLI command, The folowing ism example of the command aug ASIF tase aancsnever authentication AD host 10.10.3.29 asesnane {tt pastverd ciaco INFO: Atcenpting hathentiestion test to TP aGlcesy feimevte 12 secede] [ITO; Authentication Svecesstul Tait cea spam ae)Verify Cisco ASA Integration with AD and Cisco CDA (Cont.) Cisco ASA Integration with CDA + Configuration > Firewall > identity Options + Yana sect ug st anes conmans ‘You.an ue the Test lanctinaity inthe Cisco ASDM to verify if the ASA can communicate with he CDAsever “You can ue the Test Active Ditetory Agent anton inthe Ciszo ASDM to verify ifthe ASA can ‘communi with theCDA serve 1. InCisco ASDM, visto Configuration > Firewall> Mentity Option. 2. Click the Test buon, 3. Obverve theres ofthe est Inthe example the est was sucessful You can ue the same faetioaiy by using the test ana-serverad-agent CLI command, The ellowing is _an example of he command ouput fie Risenet “Tagen ss ap Nava ay Sineeo Verify Cisco ASA Integration with AD and Cisco CDA (Cont.) ‘+ Displays the Cisco COA and Meroe Acive Decoy doin sia. Aste gare sons, both he Cisco CDA tts and Active Dita doin stats should bein the up sil ‘This command ouput als ipays information abou the mode of operations on-demand fll- downland) betwee th Cisco ASA and Ciseo CDA eves. This information sbows tha the IP adress of the Cio CDA device andthe por tht reused for RADIUS conmnicatons between Cisco ASA nd ‘Cisco CDA. The ouput ao shows the Citco ASA interac to which Ciseo CDA comets tht the Cisco CCDA devieisup, and the verge RTT tne. isco ASA ial listening on UDP port 399. Cisco CDA wes UDP port 3799 o sed notifications to Gino ASA. Tatiana he Rania aVerify Cisco ASA Integration with AD and Cisco CDA (Cont.) (Cisco CDA Integration with ASA + Registered Devices + Yeast clos tnesea aapn Cl command “The Registered Devies page splays tof consumer devies tht are connected to Cisco CDA and that are utsrbed to reeive Fen napping upd (n-xmndo el-dowala). To view al he ‘registred deve, click the Reitered Devices inthe home page. Or rom the home page ck the ‘View Registered Devies ink inthe Add Consumer Devies section o open the Registered Devices ge (ich is ot shown in the gue. “Theigre shows tht he Cisco ASA device withthe 10,10.1 IP adres isthe only registered device. “Tai Gs ap ee ory SO ‘Dia Gace reCe ee eee ee Configure Identity-Based Access Rules “Thistopi deserts howto contgr ity based acess us. Configure Identity-Based Access Rules To configure Cisco ASA identiy-based rues, complete these tasks: 1+ (Options) Conigue user beet groups 2. Conigue ienat-based acess ule tow Ace Sengopecarion To configure te ileniy-bsed access uss on th Cisco ASA, perform te flowing sks: 1. Optionally cosfgue user objet groups which allows yout group Activ Directory uses nd groups 2. Configure identity asd aces ales ‘The figure shows a configuration scenario th wil bused forte upcoming configuration tks. You will allow te Mareting AD grup to access the Marketing server ad ile AD group f acces Sales server You will also crest 2 user object group consisting oft and engine] wsers and al them ess (ototnsere, Tatas Sama Raia TFConfigure Identity-Based Access Rules (Cont.) Task 1: Configure User Object Groups + Confgwatin > Frevall> Objects > Loca User Groups Inthe frst sk ofthis configuration sequen, you wl configure awe object group that wl include the ‘iM andengner! users. Perfor the following tps to configure a wer objet rp: 1. Inte Cisco ASDM, navigate o Configuration > Fireall> Objects > Local User Groups 2 Click Add to ad new group. The Add User Objet Group pane wil spay. 4 Enters name fr the user bjt group int the Group Name input fi. Inthe example, the name of ‘he group is FULL-ACCESS.USERS. 4 Inthe Uses section ofthe pane lick Find ost ll uersin the AD. Youcan also specify Merto Sid only a subset of wes inthe AD. 5. Selecta required userand click the Add >> buon, Repeat is step to 38a equied users In the ‘xample, engineer and itl wsers ar being ade othe group 6. Similarly, by navigating fo the User Groupe scion ofthe ane, you could also a an AD group fo ‘he wer objet group 1. Clik OK, Click Apply to apply your configuration “Ti pig Ca Ege an Sey Sons Ca aCe a ee a) Configure Identity-Based Access Rules (Cont.) Task 2: Configure ldentiy-based Access Rule + Coniguation>Frewall> Access Rules Inthe fist part ofthe second ask of his confgraton sequence, you wil configure allow ie Sales AD grou access othe Sales serve. Perform the following ps to configure aur bsed sess ue: 1. Inthe Cis ASDM, navigate to Configuration > Frewall> Access Ras (oot shown inthe gu). 2, Sclctte inerioce you wan! to reat the ACL ron Click Add The Ad Access Rule window will displ 3. Make sue tit the comet inteface is slot, 4. Sele the action. In the example, Permit action selected. 5. Inthe Soaree Criteria secon of he window, ctr the AD group ne in the Use inated ot slick he. baton to fn the up inthe AD. Ifyou click the. bate, the Brose User windows displayed 6 Inthe User Groups seton of te pane, ick Find ist al goups inthe AD. You can also specily 2 er ind only a subse of groups inthe AD. 7. Selecta required group and click the Add>> baton. Inthe example Sales group ha een added. 8. Click OK, es that wll 9 Fillinthe est ofthe equted information, such as destination IP addres cr objec (or abet group) sd service Inthe expe, the Sales Server bj specified desinaion and al IP tai specie asa serve 1, Click OK. 11. Click Apply apply your configuration, Sina you woud crete anater ule alow the Marketing group fo sees tbe Marketing server Sinteagaeene ri| Configure Identity-Based Access Rules (Cont.) “Test 2: Configure Mentiy-based Access Rule (Cont) + Configrtion>Feval> Acces Rules In the second prof th second usk ofthis configuration segura, you wl configure an aces rule to allow the FULL-ACCESS-USERS object goupo access bth serves. Perform the ollwing esto exeigure the user taed acces re: 1, Inthe Cisco ASDM, niga to Confguation> Firewall> Access Ras (nt shown i th Ogu). 2, Seletthe inerice you want crete the ACL rule on. Click Ada. The Add Access Rule window wil slay. 13. Make sure thatthe comet ners sels ‘Select the seton. Inthe exanps, Permit action is sled. 5 Inthe Source Criteria scion of the window, click the... balan. The Browse User window is splayed, 6, Selet LOCAL from th Doms dropdown mens. 1. Selet required local group al chk the Add >> buton nthe example, FULL-ACCESS-USERS oop bas ben sled, 8. Clk OK. 9, Fillin the rest f the requir infomation, suchas destination I adress robot (or objet group) ‘nd serve. Inthe example, he SERVERS objet specified 2 destination an al IP ai is specified aa serie. 10 Click OK, 11. Click Apply sply your configuration “Fi erg Ca Ei net Sey Saens————SSSSSCmn oe cen i Configure Identity-Based Access Rues (Cont.) CLI Configuration Tointegiate Cisco ASA with Microso Active Dircctory and Cio CDA for ieity- sed eval wing cocmand ine ineface ute enous that described in th tbl ‘obec group user FULL ACCESSAISERS ‘sor SECURE Kenge! thor SECURE RI ei sen snp frvp SECURE Yidae oy sol Sale Senet ine tours mentored prt ius ‘oup SECURE Niaraig any abject Harting Serer eum SERVERS ‘scoss grup adh_szees inion ae Tai CaaS Crs sr tet ad fers 0 evan (Cras ACL ena ate AD gp at ae rats av ACL ry a oor rl rec arp | sme scure hopes be ACL oe nds race reo freienVerify the Identity-Based Firewall “Thistopiedeseibes bow to verify be idetiy-tnsed eval Verity the Identity-Based Firewall ‘play al active and ate usersin the Gto ASA use daabese. + rave users have no active rac for longer than te ae he cfd. Use the show userientty wer al it conmand le diay all the users (ference nan act ply in the Ciso AdapiveSecuriy Appliance user dnbas. This includes both active and inactive ses. The ‘ouput alo shows which users have ative connections, Inacive srs haveno aie tai for longer han he valet configured with the weeny Inaetve-ase-timer command. The Pade ofan inactive users maked as inactive and removed fom the Cisco ASA IP-o-asr mapping. Inthe figure, the output shows al he tives native users inthe Cisco ASA ser dlabse In tis example, on the SECURE X\sles user careally has an atv connection on Cisco ASA. “Ti ecg Sa ip Bay Sao ‘Caricaee ee Verify the Identity-Based Firewall (Cont.) SRG ante Ck Dee alte che es + Dap adsez ob net ace er Use the shaw user ity wser active Hist etal command to pay information abou al Ibe active ser. nthe figure, Cio ASA has wo ative ues, SECURE-X\Adminisatr, who haste LP adress 1010.3.20, an SECURE-Xisks, who asthe IP aes 10101010. The ssl wer hs logged infor (64 minutes with one acive conneto, Use the show ueridenttyip-aaser commando ip the I adress particular user, the Hie, ‘he SECURE-Xiales] sera th Pats 10.10.1010, andthe asriscunenly legged nthe DEMO domain Fane Verify the Identity-Based Firewall (Cont.) + Monitoring > Propros > dently > Users isa (5 ASDM init Fea menting ap onthe Cs COA + Nasir mmo pf oy Fea erage tm ey Fron pao aa“Tomoitor the ati Firewall by sig the Cisco Adapive Secuty Device Manager (Cisco ASDM), choose Monitoring > Properties > Identity and monitor the lowing options: ‘+ Monitoring Asie Directory Agents Thi pane displays the following infomation abou te primary 1nd secondary Cieo CDA (ot sown nthe Figur) = Stas ofthe Cis CDAS = Status ofthe dome = Slates fr he Cisco CDAS “+ Monitoring Grvps: This pane splash ist of wer groups inthe domaingroupname fort (oat sown inthe gue) + Monitoring Memory Usage forthe Matty Firewall This pane splays the memory wagein bytes ‘ofvarous moduli the entity Fiewal (nt shown in the figure) = User = Groupe = Uae stats ~ LDAP + Monitoring Uses forthe Identity Flrewall: Tis pane displays ths following infomation for wes (chown inthe Fie): = domasiserpame = Status (ive o inactive) = Conoetions ~ Minutes idle Verify the Identity-Based Firewall (Cont.) Very Access Rules + Configuration > Frewall> Access Rules Use the Configuration Firewall> Access Res ADSM pan! vei configured usechnsed access rules ad it sti. ‘Tt ee Gs ap Naa ea Sine Tait Geos —— anthe Figur, the frst wserbsed ACE inthe ACL. that is applied inbound othe inde ince pes al [IP ali that soured frm the Ses Active Dietory group in the SECURE-X domino the Sales server destination. The uses inthe Sales group can have any TP adres, {nthe gue, the secnd user-based ACE inthe ACL that is applied inbound tothe ins inerfice pets sll nth issued from te Makting Active Dietary group in be SECURE X domain othe Marking server destination, Te uses inthe Marketing group can av ay IP adress nthe figure, the third ACE te ACL thats applied inbound othe inside interface persis lI trac thai soured fom the engine ait sein the Active Ditetory inthe SECURE-X domain o bh ‘marketing and sas servers. The wer can hae any IP des ‘oreference an Active Directory wer roup nan ACE when manly ering the group, wea" afer ‘he domain name; for exampie,SE-UKE-A\gropl,Toclerece an Active Dict we in at ACE ‘when mana entering the ser, se 2” afer the domainname for exaple, SECURE-Xuserl Users and usergroup names arent ease env, Da oemene Rare OeTroubleshoot Identity-Based Firewall ‘This tpi deseribes how to trubleshoo identity based reall. Troubleshoot Identity-Based Firewall ‘Troubleshooting Tools “To woubesoot ies that ar eae to ideti-bsed reall, you can sea set of Cisco Adaptive ‘Security appliance CLI, Cisco Adaptive Security Device Manager, and Cisco Contest Directory Agent ‘eifeation fears. The figures some common command and featur tht you might find sel uring he wooblesbootng session. Typical, you wll examine why apaicular seston canot be ‘tabled trough the sour appliance Troubleshoot Identity-Based Firewall (Cont.) Troubleshooting Flow “Tie penn Gs lp hen Sry Saans SSC — mo eo ee ‘i-_ — omos ep es ee eee oe ee ee) ee This figure shows the recommend task Now for woubesootng identt-bce firewall on the Cisco ASA, Follow these eps nd us the provided commands to woubleshoot events where a hos appar to have connectivity sus due othe Mety- asd few 1+ Fin detomine wheter he Cizco CDA scones othe AD ere. Ye cn vey icon ‘by examining the Cisco CDA Home dashboard. The green checkbox ext othe AD domain and Seer ‘nates sucess conection Ifthe CDA isnot connec othe AD, verify CDA to AD oonctvity. Verify ifa fcwal backs eemananication on rqited pts You shoo also wily requirements for wer accor that used to cannot AD, ad th Window Serve sap requiem, ‘+ Then verify ifthe CDA aceps new IP-o-user mappings, temine shee the IPo-user mspoing imi 20,00 as been exceeded. The recommended ints 6,0 From the Cisco CDA GUI, use ‘counter inte [Posse mappings tablet se the cuent Po-usr ping coun + Next, determine whether Microsoft Windows user login dos tigate TPto-user mapping. Wnt,

You might also like

• The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  

  From Everand

  The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good Life

  Mark Manson

  Rating: 4 out of 5 stars

  4/5 (5825)
• The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  

  From Everand

  The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You Are

  Brene Brown

  Rating: 4 out of 5 stars

  4/5 (1093)
• Never Split the Difference: Negotiating As If Your Life Depended On It

  

  From Everand

  Never Split the Difference: Negotiating As If Your Life Depended On It

  Chris Voss

  Rating: 4.5 out of 5 stars

  4.5/5 (852)
• • Magazines
  • Podcasts
  • Sheet music
• Principles: Life and Work

  

  From Everand

  Principles: Life and Work

  Ray Dalio

  Rating: 4 out of 5 stars

  4/5 (612)
• The Glass Castle: A Memoir

  

  From Everand

  The Glass Castle: A Memoir

  Jeannette Walls

  Rating: 4.5 out of 5 stars

  4.5/5 (1720)
• Grit: The Power of Passion and Perseverance

  

  From Everand

  Grit: The Power of Passion and Perseverance

  Angela Duckworth

  Rating: 4 out of 5 stars

  4/5 (590)
• Sing, Unburied, Sing: A Novel

  

  From Everand

  Sing, Unburied, Sing: A Novel

  Jesmyn Ward

  Rating: 4 out of 5 stars

  4/5 (1194)
• Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  

  From Everand

  Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space Race

  Margot Lee Shetterly

  Rating: 4 out of 5 stars

  4/5 (903)
• Shoe Dog: A Memoir by the Creator of Nike

  

  From Everand

  Shoe Dog: A Memoir by the Creator of Nike

  Phil Knight

  Rating: 4.5 out of 5 stars

  4.5/5 (541)
• The Perks of Being a Wallflower

  

  From Everand

  The Perks of Being a Wallflower

  Stephen Chbosky

  Rating: 4.5 out of 5 stars

  4.5/5 (2105)
• The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  

  From Everand

  The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers

  Ben Horowitz

  Rating: 4.5 out of 5 stars

  4.5/5 (349)
• Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  

  From Everand

  Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future

  Ashlee Vance

  Rating: 4.5 out of 5 stars

  4.5/5 (474)
• Bad Feminist: Essays

  

  From Everand

  Bad Feminist: Essays

  Roxane Gay

  Rating: 4 out of 5 stars

  4/5 (1029)
• The Outsider: A Novel

  

  From Everand

  The Outsider: A Novel

  Stephen King

  Rating: 4 out of 5 stars

  4/5 (1871)
• Her Body and Other Parties: Stories

  

  From Everand

  Her Body and Other Parties: Stories

  Carmen Maria Machado

  Rating: 4 out of 5 stars

  4/5 (823)
• The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  

  From Everand

  The Sympathizer: A Novel (Pulitzer Prize for Fiction)

  Viet Thanh Nguyen

  Rating: 4.5 out of 5 stars

  4.5/5 (122)
• The Emperor of All Maladies: A Biography of Cancer

  

  From Everand

  The Emperor of All Maladies: A Biography of Cancer

  Siddhartha Mukherjee

  Rating: 4.5 out of 5 stars

  4.5/5 (271)
• Angela's Ashes: A Memoir

  

  From Everand

  Angela's Ashes: A Memoir

  Frank McCourt

  Rating: 4.5 out of 5 stars

  4.5/5 (443)
• Brooklyn: A Novel

  

  From Everand

  Brooklyn: A Novel

  Colm Tóibín

  Rating: 3.5 out of 5 stars

  3.5/5 (1948)
• The Little Book of Hygge: Danish Secrets to Happy Living

  

  From Everand

  The Little Book of Hygge: Danish Secrets to Happy Living

  Meik Wiking

  Rating: 3.5 out of 5 stars

  3.5/5 (403)
• A Man Called Ove: A Novel

  

  From Everand

  A Man Called Ove: A Novel

  Fredrik Backman

  Rating: 4.5 out of 5 stars

  4.5/5 (4772)
• The World Is Flat 3.0: A Brief History of the Twenty-first Century

  

  From Everand

  The World Is Flat 3.0: A Brief History of the Twenty-first Century

  Thomas L. Friedman

  Rating: 3.5 out of 5 stars

  3.5/5 (2259)
• Steve Jobs

  

  From Everand

  Steve Jobs

  Walter Isaacson

  Rating: 4.5 out of 5 stars

  4.5/5 (809)
• The Art of Racing in the Rain: A Novel

  

  From Everand

  The Art of Racing in the Rain: A Novel

  Garth Stein

  Rating: 4 out of 5 stars

  4/5 (4208)
• The Yellow House: A Memoir (2019 National Book Award Winner)

  

  From Everand

  The Yellow House: A Memoir (2019 National Book Award Winner)

  Sarah M. Broom

  Rating: 4 out of 5 stars

  4/5 (98)
• Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  

  From Everand

  Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America

  Gilbert King

  Rating: 4.5 out of 5 stars

  4.5/5 (266)
• A Tree Grows in Brooklyn

  

  From Everand

  A Tree Grows in Brooklyn

  Betty Smith

  Rating: 4.5 out of 5 stars

  4.5/5 (1930)
• Yes Please

  

  From Everand

  Yes Please

  Amy Poehler

  Rating: 4 out of 5 stars

  4/5 (1903)
• A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  

  From Everand

  A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story

  Dave Eggers

  Rating: 3.5 out of 5 stars

  3.5/5 (231)
• Team of Rivals: The Political Genius of Abraham Lincoln

  

  From Everand

  Team of Rivals: The Political Genius of Abraham Lincoln

  Doris Kearns Goodwin

  Rating: 4.5 out of 5 stars

  4.5/5 (234)
• The Woman in Cabin 10

  

  From Everand

  The Woman in Cabin 10

  Ruth Ware

  Rating: 3.5 out of 5 stars

  3.5/5 (2526)
• Wolf Hall: A Novel

  

  From Everand

  Wolf Hall: A Novel

  Hilary Mantel

  Rating: 4 out of 5 stars

  4/5 (3973)
• Fear: Trump in the White House

  

  From Everand

  Fear: Trump in the White House

  Bob Woodward

  Rating: 3.5 out of 5 stars

  3.5/5 (738)
• John Adams

  

  From Everand

  John Adams

  David McCullough

  Rating: 4.5 out of 5 stars

  4.5/5 (2409)
• On Fire: The (Burning) Case for a Green New Deal

  

  From Everand

  On Fire: The (Burning) Case for a Green New Deal

  Naomi Klein

  Rating: 4 out of 5 stars

  4/5 (74)
• The Light Between Oceans: A Novel

  

  From Everand

  The Light Between Oceans: A Novel

  M.L. Stedman

  Rating: 4.5 out of 5 stars

  4.5/5 (789)
• Manhattan Beach: A Novel

  

  From Everand

  Manhattan Beach: A Novel

  Jennifer Egan

  Rating: 3.5 out of 5 stars

  3.5/5 (880)
• The Constant Gardener: A Novel

  

  From Everand

  The Constant Gardener: A Novel

  John le Carré

  Rating: 3.5 out of 5 stars

  3.5/5 (104)
• The Unwinding: An Inner History of the New America

  

  From Everand

  The Unwinding: An Inner History of the New America

  George Packer

  Rating: 4 out of 5 stars

  4/5 (45)
• Rise of ISIS: A Threat We Can't Ignore

  

  From Everand

  Rise of ISIS: A Threat We Can't Ignore

  Jay Sekulow

  Rating: 3.5 out of 5 stars

  3.5/5 (137)
• Little Women

  

  From Everand

  Little Women

  Louisa May Alcott

  Rating: 4 out of 5 stars

  4/5 (105)